Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CuratorStandardSetup.exe

Overview

General Information

Sample name:CuratorStandardSetup.exe
Analysis ID:1439300
MD5:37e44e8c19fd8bc70047754346cc18e9
SHA1:07797a9e5d5af865913c5d1147ddcfd623bd19ef
SHA256:faf966bb5a225d91333e2915dca6294db72f54ecb98720890f53270ce4a747c9
Infos:

Detection

Score:40
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Contain functionality to detect virtual machines
Installs new ROOT certificates
Machine Learning detection for dropped file
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Writes many files with high entropy
Checks for debuggers (devices)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CuratorStandardSetup.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\CuratorStandardSetup.exe" MD5: 37E44E8C19FD8BC70047754346CC18E9)
    • deactivate.exe (PID: 5716 cmdline: "C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe" /OPENLF MD5: 0F979E7E706E1BDD0BECB0766B386C57)
    • DXSETUP.exe (PID: 5676 cmdline: "C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe" MD5: BF3F290275C21BDD3951955C9C3CF32C)
    • OrteliaCurator.exe (PID: 4088 cmdline: "C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe" MD5: A920B45A4CB4B98E152C745B714A2AD8)
      • QuestViewer.exe (PID: 3284 cmdline: QuestViewer.exe Q3DStart.q3d MD5: 16E05FBD59127A172B69DBAEA52AB595)
  • SrTasks.exe (PID: 7088 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeVirustotal: Detection: 15%Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeJoe Sandbox ML: detected
Source: CuratorStandardSetup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v2.46 Nullsoft Install System v2.46License AgreementPlease review the license terms before installing Ortelia Curator 1.3.Press Page Down to see the rest of the agreement.OrteliaSOFTWARE LICENSE AGREEMENTWorldwideREAD CAREFULLY: Ortelia INC. ("Ortelia") LICENSES THIS SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT").BY SELECTING THE "I ACCEPT" / "AGREE" BUTTON BELOW THIS AGREEMENT OR BY COPYING INSTALLING UPLOADING ACCESSING OR USING ALL OR ANY PORTION OF THE SOFTWARE YOU AGREE TO BE LEGALLY BOUND BY THIS AGREEMENT. A CONTRACT IS THEN FORMED BETWEEN Ortelia AND EITHER YOU PERSONALLY IF YOU ACQUIRE THE SOFTWARE FOR YOURSELF OR THE COMPANY OR OTHER LEGAL ENTITY FOR WHICH YOU ARE ACQUIRING THE SOFTWARE.IF YOU DO NOT AGREE OR DO NOT WISH TO BIND YOURSELF OR THE ENTITY YOU REPRESENT: (A) DO NOT COPY INSTALL UPLOAD ACCESS OR USE THE SOFTWARE; (B) SELECT THE "I REJECT" / "DISAGREE" BUTTON BELOW THIS AGREEMENT (WHICH WILL CANCEL THE LOADING OF THE SOFTWARE); AND (C) WITHIN THIRTY (30) DAYS FROM THE DATE OF ACQUISITION RETURN THE SOFTWARE TO THE LOCATION WHERE YOU ACQUIRED IT FOR A REFUND.COPYING INSTALLATION UPLOADING ACCESS OR USE OF THIS SOFTWARE OR ANY ACCOMPANYING DOCUMENTATION OR MATERIALS EXCEPT AS PERMITTED BY THIS AGREEMENT IS UNAUTHORIZED AND CONSTITUTES A MATERIAL BREACH OF THIS AGREEMENT AND AN INFRINGEMENT OF THE COPYRIGHT AND OTHER INTELLECTUAL PROPERTY RIGHTS IN SUCH SOFTWARE AND DOCUMENTATION. IF YOU COPY INSTALL UPLOAD ACCESS OR USE ALL OR ANY PORTION OF THIS SOFTWARE OR ITS USER DOCUMENTATION WITHOUT ENTERING INTO THIS AGREEMENT OR OTHERWISE OBTAINING WRITTEN PERMISSION OF Ortelia YOU ARE VIOLATING COPYRIGHT AND OTHER INTELLECTUAL PROPERTY LAW. YOU MAY BE LIABLE TO Ortelia AND ITS LICENSORS FOR DAMAGES AND YOU MAY BE SUBJECT TO CRIMINAL PENALTIES.1.DEFINITIONS1.1"Access" means to use or benefit from using the functionality of the Software.1.2"Ortelia Materials" is the collective term for the Software User Documentation and Excluded Materials.1.3"Computer" means a single electronic device with one or more central processing units (CPUs) that accepts information in digital or similar form and manipulates the information for a specific result based on a sequence of instructions.1.4"Excluded Materials" means any programs modules components or functionality if any that may be included on media or with materials delivered to You that are not within the License Parameters as described in the User Documentation or for which You have not paid the applicable fees.1.5"Install" means to place a copy of Software onto a hard disk or other storage medium through any means (including but not limited to use of an installation utility application accompanying the Software).1.6"License Parameters" means the definition and limitation of the applicable license scope in Section 2.2 hereof.1.7"Permitted Number" means a number r
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDoneJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\README.txtJump to behavior
Source: Binary string: C:\src\build\intel\cr80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012825000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011C15000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011CA9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000129B9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012FE8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000134F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Program Files\Feeling Software\FCollada\Output\Release DLL Win32\FCollada.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Program Files\Feeling Software\FCollada\Output\Release DLL Win32\FCollada.pdb0! source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\build\intel\cm80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012944000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012F73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\build\intel\cp80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.000000001278B000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000128B6000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011DD0000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012ED9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3dx9_42.pdb source: DXSETUP.exe, 00000006.00000003.2189311925.000000000466E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3dx9_31.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012A4A000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012C9E000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000132BA000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.000000001254F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DXSETUP.pdb source: DXSETUP.exe, DXSETUP.exe, 00000006.00000002.2192804104.0000000000C31000.00000020.00000001.01000000.0000000B.sdmp, DXSETUP.exe, 00000006.00000000.1911259427.0000000000C31000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: dxupdate.pdb source: DXSETUP.exe, DXSETUP.exe, 00000006.00000002.2194471577.000000006C971000.00000020.00000001.01000000.0000000F.sdmp
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405D07 FindFirstFileA,FindClose,0_2_00405D07
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405331
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E71494 GlobalFix,GlobalUnWire,FindFirstFileA,__itoa,FindNextFileA,__itoa,FindClose,FindClose,__itoa,GetLastError,GlobalAlloc,GlobalFix,GlobalUnWire,5_2_03E71494
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E33FEB __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,5_2_03E33FEB
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C344B1 FindFirstFileA,FindClose,6_2_00C344B1
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97A3EB FindFirstFileA,FindClose,6_2_6C97A3EB
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C981473 WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_memset,FindFirstFileA,FindClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,6_2_6C981473
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97D86D GetWindowsDirectoryA,GetLastError,_strrchr,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,6_2_6C97D86D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97E7AF lstrcmpA,_memset,GetSystemDirectoryA,GetLastError,StringFromGUID2,WideCharToMultiByte,GetLastError,FindFirstFileA,FindNextFileA,FindClose,6_2_6C97E7AF
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97FB07 _memset,_memset,GetWindowsDirectoryA,GetLastError,_memset,FindFirstFileA,lstrcmpA,lstrcmpA,GetFileAttributesA,GetLastError,FindNextFileA,FindClose,6_2_6C97FB07
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: libiconv.txt.14.drString found in binary or memory: http://fsf.org/
Source: CuratorStandardSetup.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: CuratorStandardSetup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: deactivate.exe, deactivate.exe, 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003EEC000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, QuestViewer.exe, 0000000F.00000002.3603619116.00000000004F4000.00000040.00000001.01000000.00000011.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://test.softwarekey.com/unlock/test.asp
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.BetaPlace.com
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.BetaPlace.com.
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.BetaPlace.com.?
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.BetaPlace.comEContinuare
Source: vo-aacenc.txt.14.drString found in binary or memory: http://www.apache.org/licenses/
Source: vo-aacenc.txt.14.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.betaplace.com
Source: DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.betaplace.com.
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchemautf-8techniquelibrary_nodesFArchiveXMLbad
Source: libiconv.txt.14.drString found in binary or memory: http://www.gnu.org/licenses/
Source: libiconv.txt.14.drString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
Source: deactivate.exe, deactivate.exe, 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003EEC000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, QuestViewer.exe, 0000000F.00000002.3603619116.00000000004F4000.00000040.00000001.01000000.00000011.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.com
Source: QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.com/orteliacurator/
Source: QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.com=
Source: QuestViewer.exe, 0000000F.00000002.3610844775.0000000006BEF000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.comm
Source: QuestViewer.exe, 0000000F.00000003.2427522008.00000000065FA000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.coms
Source: QuestViewer.exe, 0000000F.00000002.3610844775.0000000006BEF000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ortelia.comu
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011E56000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quest3d.com)
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011E56000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quest3d.com)HttpControl
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quest3d.com/
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quest3d.com/Quest3D
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quest3d.com/This
Source: QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/
Source: deactivate.exe, 00000005.00000003.1923924434.00000000041B3000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1924001388.00000000041B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/MMyE
Source: QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/S
Source: QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/forgotpw.asp
Source: QuestViewer.exe, 0000000F.00000003.2426970111.0000000003D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/forgotpw.aspduct
Source: QuestViewer.exe, 0000000F.00000002.3608008418.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2426970111.0000000003D50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.softwarekey.com/solo/customers/forgotpw.asprQ
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EE8
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C34D57 CreateMutexA,GetLastError,SetErrorMode,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetAsyncKeyState,ExitWindowsEx,#17,FreeLibrary,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,CloseHandle,CloseHandle,EnumWindows,6_2_00C34D57
Source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Aco_DX8_DirectInputChannel::InitDInput(): DirectInput8Create failedmemstr_e8bbb4a0-a
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2A861 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,5_2_03E2A861
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03EC92F4 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,5_2_03EC92F4

Spam, unwanted Advertisements and Ransom Demands

barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe entropy: 7.99989119563Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe entropy: 7.99967126618Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_D3DCompiler_42_x64.cab entropy: 7.99957136175Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_D3DCompiler_42_x86.cab entropy: 7.99842068957Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dcsx_42_x64.cab entropy: 7.99984491493Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dcsx_42_x86.cab entropy: 7.99930253186Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dx9_42_x64.cab entropy: 7.99974531658Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dx9_42_x86.cab entropy: 7.9995782396Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_D3DCompiler_43_x64.cab entropy: 7.99961123642Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_D3DCompiler_43_x86.cab entropy: 7.99830682848Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dcsx_43_x64.cab entropy: 7.99950571437Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dcsx_43_x86.cab entropy: 7.99694951512Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dx9_43_x64.cab entropy: 7.99969323394Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dx9_43_x86.cab entropy: 7.99948301798Jump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\dxupdate.cab entropy: 7.99414458917Jump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\source\libwkhtmltox-0.11.0_rc1.zip entropy: 7.99683137144Jump to dropped file

System Summary

barindex
PE file has a writeable .text section
Source: deactivate.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PE file has nameless sections
Source: deactivate.exe.0.drStatic PE information: section name:
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E21E10 GetModuleHandleA,GetProcAddress,NtSetInformationProcess,MessageBoxA,5_2_03E21E10
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2825B NtdllDefWindowProc_A,CallWindowProcA,5_2_03E2825B
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E52780 NtdllDefWindowProc_A,GetClientRect,MoveWindow,KillTimer,5_2_03E52780
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2ABA8 NtdllDefWindowProc_A,5_2_03E2ABA8
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2CEA4 __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,5_2_03E2CEA4
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2CE93 __CxxThrowException@8,__snprintf_s,NtdllDefWindowProc_A,5_2_03E2CE93
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E8B2B0 InvalidateRect,_sprintf,BeginPaint,SetBkMode,TextOutA,EndPaint,SendMessageA,SendMessageA,SendMessageA,NtdllDefWindowProc_A,EndDialog,EndDialog,BeginPaint,SetBkMode,SendMessageA,SendMessageA,SendMessageA,_sprintf,TextOutA,TextOutA,_sprintf,_sprintf,TextOutA,EndPaint,LoadLibraryA,GetProcAddress,FreeLibrary,CreateWindowExA,5_2_03E8B2B0
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E2D0FD _memset,NtdllDefWindowProc_A,5_2_03E2D0FD
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E79535 NtdllDefWindowProc_A,5_2_03E79535
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98CAE7 ___initmbctable,NtQueryValueKey,6_2_6C98CAE7
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E7EF86: DeviceIoControl,5_2_03E7EF86
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E7E74D OpenSCManagerA,GetLastError,OpenServiceA,GetLastError,ControlService,QueryServiceStatus,QueryServiceStatus,Sleep,QueryServiceStatus,GetLastError,DeleteService,CloseServiceHandle,5_2_03E7E74D
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FA
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C34D57 CreateMutexA,GetLastError,SetErrorMode,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetAsyncKeyState,ExitWindowsEx,#17,FreeLibrary,GetLastError,GetLastError,FreeLibrary,GetLastError,GetLastError,CloseHandle,CloseHandle,EnumWindows,6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C36964 GetSystemDirectoryA,GetLastError,#17,ExitWindowsEx,6_2_00C36964
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeFile created: C:\Windows\SysWOW64\55DRRUFD.ocxJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeFile created: C:\Windows\HJV3R3BS.ocxJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeFile created: C:\Windows\Logs\DirectX.logJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_004061280_2_00406128
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_004046F90_2_004046F9
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_004068FF0_2_004068FF
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004840585_2_00484058
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004541715_2_00454171
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004442FC5_2_004442FC
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004523F75_2_004523F7
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004DC65E5_2_004DC65E
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004826A45_2_004826A4
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0048C7E05_2_0048C7E0
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0049C9005_2_0049C900
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004529395_2_00452939
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004169C35_2_004169C3
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0042AA915_2_0042AA91
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004D8B105_2_004D8B10
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_00452FF95_2_00452FF9
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004C31905_2_004C3190
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0046D32A5_2_0046D32A
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0041B7E15_2_0041B7E1
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0041F8705_2_0041F870
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004179EE5_2_004179EE
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0043FCF85_2_0043FCF8
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004DBE2C5_2_004DBE2C
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_00451EB55_2_00451EB5
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E3829B5_2_03E3829B
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E4A2295_2_03E4A229
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E941F05_2_03E941F0
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E3E1FA5_2_03E3E1FA
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E121715_2_03E12171
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E840D05_2_03E840D0
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E386BB5_2_03E386BB
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03ED04005_2_03ED0400
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03EBAA805_2_03EBAA80
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E64C1A5_2_03E64C1A
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E171605_2_03E17160
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E370805_2_03E37080
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E497A55_2_03E497A5
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03ED371C5_2_03ED371C
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E375E85_2_03E375E8
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E3BBEC5_2_03E3BBEC
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E37ABB5_2_03E37ABB
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E4BA615_2_03E4BA61
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E7B9485_2_03E7B948
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E79F945_2_03E79F94
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03ED3F4E5_2_03ED3F4E
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E37E8F5_2_03E37E8F
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E49CE75_2_03E49CE7
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C3EE9B6_2_00C3EE9B
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C394006_2_00C39400
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C4503D6_2_00C4503D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C449216_2_00C44921
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C456FC6_2_00C456FC
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C44E6A6_2_00C44E6A
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C443D86_2_00C443D8
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C980CB36_2_6C980CB3
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C991DD66_2_6C991DD6
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98680F6_2_6C98680F
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97D86D6_2_6C97D86D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C982D366_2_6C982D36
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97EA876_2_6C97EA87
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98D2006_2_6C98D200
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98FF6D6_2_6C98FF6D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C9803626_2_6C980362
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_01381C9015_3_01381C90
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_01381C9015_3_01381C90
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 6C979BC1 appears 324 times
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 6C97B0F6 appears 31 times
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 6C98D1A0 appears 31 times
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 00C3390A appears 59 times
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 6C979A40 appears 211 times
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: String function: 00C3ABA8 appears 31 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 0044213D appears 128 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 03E39A2D appears 117 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 03E39F84 appears 63 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 00443530 appears 31 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 00442694 appears 58 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 03E3AE20 appears 37 times
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: String function: 03E54055 appears 36 times
Source: CuratorStandardSetup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: deactivate.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: deactivate.exe.0.drStatic PE information: Section: .rdata ZLIB complexity 1.00537109375
Source: deactivate.exe.0.drStatic PE information: Section: .data ZLIB complexity 1.0071614583333333
Source: classification engineClassification label: mal40.rans.evad.winEXE@11/411@0/0
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://orteliacurator.com/
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://www.nvidia.com/content/global/global.php
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://www.microsoft.com/games/en-US/aboutGFW/pages/directx.aspx
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://ortelia.com/forums/
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: mailto:support@orteliacurator.com?subject=Ortelia%20Curator%20Support
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: file:///D:/Ortelia/Docs/MayneControls/system-requirements
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://ortelia.com/Forums/
Source: OrteliaSpaceHelp.pdf.0.drInitial sample: http://www.microsoft.com/games/en-us/aboutgfw/pages/directx.aspx
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E8C32A _memset,_memset,_memset,GlobalAlloc,GlobalFix,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,GlobalFree,GlobalFree,GetLastError,GlobalFree,GetLastError,GetLastError,FormatMessageA,GetDesktopWindow,5_2_03E8C32A
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C34163 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,FreeLibrary,GetLastError,6_2_00C34163
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041FC
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03ECC061 FindResourceA,LoadResource,LockResource,FreeResource,5_2_03ECC061
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia CuratorJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Users\Public\Desktop\Ortelia Curator.lnkJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeMutant created: \Sessions\1\BaseNamedObjects\***DirectXSetupA***
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP DLL Mutex
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeMutant created: \Sessions\1\BaseNamedObjects\DirectX Setup
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsc6778.tmpJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: dsetup.dll6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: DirectXSetupA6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: FreeLibrary()6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: FreeLibrary()6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: LoadLibrary()6_2_00C34D57
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCommand line argument: WinMain6_2_00C34D57
Source: CuratorStandardSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: deactivate.exeString found in binary or memory: set-addPolicy
Source: deactivate.exeString found in binary or memory: id-cmc-addExtensions
Source: QuestViewer.exeString found in binary or memory: set-addPolicy
Source: QuestViewer.exeString found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile read: C:\Users\user\Desktop\CuratorStandardSetup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CuratorStandardSetup.exe "C:\Users\user\Desktop\CuratorStandardSetup.exe"
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe "C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe" /OPENLF
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe "C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe"
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe "C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe"
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeProcess created: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exe QuestViewer.exe Q3DStart.q3d
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe "C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe" /OPENLFJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe "C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe"Jump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe "C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe"Jump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeProcess created: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exe QuestViewer.exe Q3DStart.q3dJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: advpack.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: dsetup.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: dsetup.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: dsetup.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: sfc.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: srclient.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: spp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: spinf.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeSection loaded: cr80_q3d.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeSection loaded: cp80_q3d.dllJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeSection loaded: cr80_q3d.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Ortelia Curator.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
Source: Ortelia Curator.lnk0.0.drLNK file: ..\..\..\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
Source: Curator Help.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\OrteliaCuratorHelp.pdf
Source: Deactivate Licence.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\tools\deactivate.exe
Source: Ortelia Space.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe
Source: Ortelia Space.lnk0.0.drLNK file: ..\..\..\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe
Source: Space Help.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\OrteliaSpaceHelp.pdf
Source: Uninstall.lnk.0.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Ortelia Curator\uninst.exe
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile written: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\ioSpecial.iniJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeWindow found: window name: SysTabControl32Jump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeAutomated click: Next >
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeAutomated click: I Agree
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeAutomated click: Install
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAutomated click: I accept the agreement
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAutomated click: Next >
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAutomated click: I accept the agreement
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v2.46 Nullsoft Install System v2.46License AgreementPlease review the license terms before installing Ortelia Curator 1.3.Press Page Down to see the rest of the agreement.OrteliaSOFTWARE LICENSE AGREEMENTWorldwideREAD CAREFULLY: Ortelia INC. ("Ortelia") LICENSES THIS SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT").BY SELECTING THE "I ACCEPT" / "AGREE" BUTTON BELOW THIS AGREEMENT OR BY COPYING INSTALLING UPLOADING ACCESSING OR USING ALL OR ANY PORTION OF THE SOFTWARE YOU AGREE TO BE LEGALLY BOUND BY THIS AGREEMENT. A CONTRACT IS THEN FORMED BETWEEN Ortelia AND EITHER YOU PERSONALLY IF YOU ACQUIRE THE SOFTWARE FOR YOURSELF OR THE COMPANY OR OTHER LEGAL ENTITY FOR WHICH YOU ARE ACQUIRING THE SOFTWARE.IF YOU DO NOT AGREE OR DO NOT WISH TO BIND YOURSELF OR THE ENTITY YOU REPRESENT: (A) DO NOT COPY INSTALL UPLOAD ACCESS OR USE THE SOFTWARE; (B) SELECT THE "I REJECT" / "DISAGREE" BUTTON BELOW THIS AGREEMENT (WHICH WILL CANCEL THE LOADING OF THE SOFTWARE); AND (C) WITHIN THIRTY (30) DAYS FROM THE DATE OF ACQUISITION RETURN THE SOFTWARE TO THE LOCATION WHERE YOU ACQUIRED IT FOR A REFUND.COPYING INSTALLATION UPLOADING ACCESS OR USE OF THIS SOFTWARE OR ANY ACCOMPANYING DOCUMENTATION OR MATERIALS EXCEPT AS PERMITTED BY THIS AGREEMENT IS UNAUTHORIZED AND CONSTITUTES A MATERIAL BREACH OF THIS AGREEMENT AND AN INFRINGEMENT OF THE COPYRIGHT AND OTHER INTELLECTUAL PROPERTY RIGHTS IN SUCH SOFTWARE AND DOCUMENTATION. IF YOU COPY INSTALL UPLOAD ACCESS OR USE ALL OR ANY PORTION OF THIS SOFTWARE OR ITS USER DOCUMENTATION WITHOUT ENTERING INTO THIS AGREEMENT OR OTHERWISE OBTAINING WRITTEN PERMISSION OF Ortelia YOU ARE VIOLATING COPYRIGHT AND OTHER INTELLECTUAL PROPERTY LAW. YOU MAY BE LIABLE TO Ortelia AND ITS LICENSORS FOR DAMAGES AND YOU MAY BE SUBJECT TO CRIMINAL PENALTIES.1.DEFINITIONS1.1"Access" means to use or benefit from using the functionality of the Software.1.2"Ortelia Materials" is the collective term for the Software User Documentation and Excluded Materials.1.3"Computer" means a single electronic device with one or more central processing units (CPUs) that accepts information in digital or similar form and manipulates the information for a specific result based on a sequence of instructions.1.4"Excluded Materials" means any programs modules components or functionality if any that may be included on media or with materials delivered to You that are not within the License Parameters as described in the User Documentation or for which You have not paid the applicable fees.1.5"Install" means to place a copy of Software onto a hard disk or other storage medium through any means (including but not limited to use of an installation utility application accompanying the Software).1.6"License Parameters" means the definition and limitation of the applicable license scope in Section 2.2 hereof.1.7"Permitted Number" means a number r
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
Source: CuratorStandardSetup.exeStatic file information: File size 98839899 > 1048576
Source: Binary string: C:\src\build\intel\cr80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012825000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011C15000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011CA9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000129B9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012FE8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000134F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Program Files\Feeling Software\FCollada\Output\Release DLL Win32\FCollada.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Program Files\Feeling Software\FCollada\Output\Release DLL Win32\FCollada.pdb0! source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\build\intel\cm80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012944000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012F73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\build\intel\cp80_Q3D.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.000000001278B000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000128B6000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011DD0000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012ED9000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3dx9_42.pdb source: DXSETUP.exe, 00000006.00000003.2189311925.000000000466E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3dx9_31.pdb source: OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012A4A000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000012C9E000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000132BA000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.000000001254F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DXSETUP.pdb source: DXSETUP.exe, DXSETUP.exe, 00000006.00000002.2192804104.0000000000C31000.00000020.00000001.01000000.0000000B.sdmp, DXSETUP.exe, 00000006.00000000.1911259427.0000000000C31000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: dxupdate.pdb source: DXSETUP.exe, DXSETUP.exe, 00000006.00000002.2194471577.000000006C971000.00000020.00000001.01000000.0000000F.sdmp
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D2E
Source: deactivate.exe.0.drStatic PE information: section name:
Source: ffmpeg.exe.14.drStatic PE information: section name: .rodata
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0041805C push ds; iretd 5_2_00418060
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0042C262 pushad ; ret 5_2_0042C263
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_00442215 push ecx; ret 5_2_00442228
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_004426D9 push ecx; ret 5_2_004426EC
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0042E6F1 push E80C7510h; ret 5_2_0042E6F6
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0042CC15 push eax; ret 5_2_0042CC16
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_00415FDB push 0F0F9BA5h; retf 5_2_00415FE1
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E39B05 push ecx; ret 5_2_03E39B18
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E39FC9 push ecx; ret 5_2_03E39FDC
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C3ABED push ecx; ret 6_2_00C3AC00
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98D1E5 push ecx; ret 6_2_6C98D1F8
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_013767E0 push ebp; ret 15_3_013767E1
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_01379480 push ebp; ret 15_3_01379481
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_01379480 push ebp; ret 15_3_01379481
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeCode function: 15_3_01379480 push ebp; ret 15_3_01379481
Source: deactivate.exe.0.drStatic PE information: section name: .text entropy: 7.949394518601709
Source: deactivate.exe.0.drStatic PE information: section name: entropy: 7.937828564326785

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 BlobJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 BlobJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21B682FC-63BD-461C-A9EF-F533563AAD47.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EBD84E0B-137A-45E2-A63E-EC1D98852828.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_StartProgram.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\122557DC-CABF-4806-AFA1-B0A0DD9C8C5F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B420ABA8-6E6B-4A31-82A2-CA5AE2B66577.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D28CD4B-2103-4E99-B1EE-C338242E165D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060BCDDB-FC6B-4360-9E37-A7B42C6C4D23.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060F2106-8CEF-4DC9-9E80-27D654FE2014.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\HlslUnique.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CF3378B6-F19D-488D-9361-9C35F8382722.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2690162E-A224-4267-AE70-413D8C0912A8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA393DA1-CDFA-4C96-8490-DE024F8FDABC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2F605354-314D-4775-86E4-1F733550B227.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98813502-F9E2-4DDD-BB21-02762CF9583A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3237CF29-DB73-47D8-B4B9-A6CE2E1E60F1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D045960-EAC2-4C40-9BBF-10F32F7FA305.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\894B077B-D372-4166-8F39-F188F9C3C237.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2A4F38AA-1942-4466-A306-0B85AB327BBB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\338BF88C-5F15-408F-8DC2-614E31D333B2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceMatrix.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SetTexturePixel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\ssleay32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CE741BA0-8AE3-4191-9F2E-EF8928892D37.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A19F6C27-85A3-45F3-A17B-9C1107E7A09A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1ABC2216-3D9A-4B62-95CA-1ACA029F703E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EAD7434-29D5-4CA1-9700-B6A770FBD7F7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMObject.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B18ED5B7-4FAC-4C2B-840E-58BEFB419617.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\wkhtmltopdf.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DE5B0C2-DDAC-4927-AC0F-73D422863D69.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\809FD14E-C408-4DE6-BC3D-AB69C47238F6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\psapi.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\cr80_Q3D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F26BB40B-B196-4AB9-B59E-FA7C8FF436F9.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libgcc_s_dw2-1.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMCommand.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F467CCEE-F308-4741-A1FE-3D58B78C7AF1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E2D1C95B-1B84-4D94-A373-BEBABADF7AEE.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5FE055B0-4269-4B25-9F31-157C835EC678.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0E43F737-C7AA-491D-B3A5-C6B0D9DC6483.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B002068-B627-41F2-95CD-E45489A5142F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunPosition.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7805644A-FB2C-4BA2-8A8B-3D73D441D338.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B91B38D-F453-4EC9-83C3-6FBB48B87A62.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BED6EA12-2615-49CB-BBBF-67EE0EC7AF8B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD626E09-F497-4A34-9032-47AD4D2BCBD7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\624FAFE1-326D-4444-8768-D0D405FE0D23.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8C3D0983-CC73-4A3D-AB5A-9D40D9FD6E1D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\StartPathChannel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D5DE69E6-690D-4A06-ACE7-96BB143367DD.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunctionParameter.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\KeepRunning.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6918910A-F8BA-43C4-B8D4-CD6587D0F67C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceValue.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DEA1FCC-A682-47D7-A525-DC288850A3BF.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DF6BAF0-3AED-407A-926F-35B2BBB62D0C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6B8855CC-B67A-404A-8941-395C1314C2AC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\688FBE45-F29E-4FFE-8CBF-68BFE093B1EC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9388FDD-EEEA-459F-9246-E7AC017E0062.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7D101BC8-E798-42FF-95E7-216902731C0E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21A8923D-B908-4104-AE88-B6718D8A8678.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BAC7326D-6DDC-4ECF-B821-6A52C8287DC7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\89E051CA-4273-4EB9-89C8-5FD0CDA1B026.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cr80_Q3D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BB029F54-D13C-47B3-A75A-B84581CDC303.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BA3FB7B-C452-4ED1-BAC4-529877249C28.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A5B6098-82B6-4BF0-A6CC-C36770E10685.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BC052C38-2D5D-4F0C-A0CA-654D0AFC584A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceThisClass.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1352B30C-2B0C-411F-8791-2107E78FF8E3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4236B155-BEEB-4806-A4E7-0A3610B5CEFD.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EE7E3C5-5969-4117-A8A4-074D7C9986E3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AE617852-4B25-44C1-920A-01A53B2B5EAB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EB69314C-9A02-43D7-BB94-EA27A32AA120.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefFromContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceText.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BB8F3A3-58FA-48A5-BDC3-E984862BABBE.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A550BB21-BE5C-4675-B53E-3FA246F76538.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A6078ED-69D4-4DB4-9ADB-A3987B26369A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EF1644CB-C99E-44B9-B07C-EC8A9E9F2CBA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9CEB566-E5C4-4B13-9DDF-908FE6B6AFA4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F7709F2F-62CF-4D08-A1DC-BC736F85E6DC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04E1045F-0DCF-4FEA-89A6-A1B4EB85ECFA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D180017B-B44B-4847-98CC-48453821DEAC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6AA381C0-E9D5-4EAE-A7F6-19BED1B1F662.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B6225961-01DA-463D-B5F7-3AD6541F5BD8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7B54C17D-1AB0-4882-9612-9628DAB6CA37.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F31897FC-64C3-4FF7-96E0-854BB1E13046.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22B59A05-4C3F-4936-862D-3656FB99C6F3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C682A43C-22B3-4CDD-A0EA-CF1B3FAE63D5.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cm80_Q3D.DLLJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FBB1D22B-CBB2-4A2A-AAC3-4BB57F144FD4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7A4813B2-0BE6-408B-BD46-8A20E747A47E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceInfoValue.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA15B5D1-654C-4C0A-BE3B-EC3E5890D88A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceItem.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\676D2DE0-210E-4A1F-81AA-11CDB316796A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A1C3637-A047-4740-A761-1247CEF0E940.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeFile created: C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2B10BAE4-83A1-41F5-87CD-EB69473D6538.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\563D75D1-D67B-403A-B8B6-FA6094943330.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7DFC389A-BDFD-4092-93AB-D0B93A030DD6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\cp80_Q3D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59A93B79-C960-4E83-A1AE-6D3811315C09.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C0EF3703-84D2-4C4D-B9FF-BD8ADE7E9AE4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3423DAD4-77ED-4B4C-9F00-59CB533388C6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileSaver.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunction.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\uninst.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11737E4A-A69C-4946-9D48-E560F3F29A7B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3FF51E2F-6D04-4297-BC69-079C555FF765.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\DSETUP.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AC73F78E-667D-4DB5-B22B-BCA1D98A1540.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6514FE12-88CF-480B-A3D8-7730C0CD23B3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78167FBA-D3FF-4D4D-B6A3-51AAB049F11C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6092038D-B179-4C10-8D7F-04F35E9EFEA4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B028B538-D554-434B-88CE-AA79A717C396.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BDAC0FBF-AEE8-4E6C-918C-2672F89026E4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C664AE43-1451-4760-8A20-38004EDE1C65.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libeay32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E1F00F2A-EFD1-4AEB-A689-6A8465BCF5FA.dleJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceVector.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\72180A77-77D5-427D-8A3E-D5838CC249C1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\FCollada.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8817838B-4E9E-46B5-85F9-178A97C6EF4F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F5BF6106-8544-495D-9BCA-E69A6F42BF95.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3090BC3C-E6B0-4CFA-8D3E-14D988A17828.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Command2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCommand.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59283614-4E90-42B0-83A1-8FD225004619.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\83783433-179C-4997-A4A5-C6F820CBFDB6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\10C20C0A-7A55-4084-8676-95E5699BCEC2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FolderDialog.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1DA5051C-C13B-4A3F-9EAB-7AA9C79FB8E0.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\UserInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04EB85EB-DA14-4E18-9F9C-A0EFF6837B00.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\HighPoly.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D01A1329-F854-4AFA-BDDC-70A1CD5AE25B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E34823CE-646E-46FE-8B36-0B9483ABB6F5.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2DFC141F-B06C-47B3-B7F9-2ABFB08C190E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8B959D25-5101-437B-A908-359E2AE36CF2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A97F0FB-BE04-46CC-93C0-59465B4775F9.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11111111-1111-1111-1111-111111111111.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_MTCaller.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C57A9D3F-0C29-41E0-B11E-BBED4C17AAF8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6BE5BC8E-8036-4BDD-8FDA-591F6BDB68BB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileLoader.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\18F9C150-2530-4B16-9D95-D31ECC69425F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonPosition.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\00560937-855B-4DF7-8B7A-48D321F7F819.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1118038E-554C-492C-8E03-928F76A7EEC0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Directory.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\522A4C57-2831-4C4D-B28F-495F325AC9C3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\PersonalEncrypt.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6E6FB247-4627-4FBE-8973-48344F23881E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CBCCC586-CAE0-45AE-9689-F5C179360700.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2346A6DF-5942-4CB5-9908-E59CEC72841F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCreation.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AB37DFCA-32A2-4A4B-9DD9-09282EE3037A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3164909D-47F3-43EF-8DF8-E8E95E8E22ED.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98012B2B-BF6C-4D22-BEDE-267F5901889B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EACC7F74-0344-4C1F-9BC2-400EC0C7C499.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22E1776C-E806-4FD0-BF53-92AD157F71FF.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7AF0080E-C5C3-4BE5-8FB9-A9E2CF6FC9F1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Internet.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\145D3B82-FDC2-4925-A66B-7DCFFF022A97.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\ClassType.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE69CCC4-CFC1-4362-AC81-767D199BBFC3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5F672C7F-7F68-408E-88AE-286A3F2F873A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B6063A5-A3B4-4025-B7A4-5BD4E1E2E7AA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE8C55B0-3057-4F3D-AB5A-5791EEA8D946.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\63C9809D-F615-4FED-A77C-B8F071AA3DB0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3521B4CA-AE38-4009-8FF9-D18505384F69.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceChannel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9E2350D9-A93D-4CC1-BCCE-930A60AF14A4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85FA981B-D6EA-415A-A1D6-675D83C7CAC6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DD461D0-7C4E-45EF-91AB-F211F9B920F2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4B22839D-2545-400D-A5C9-D977058037AA.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\DirectX\dsetup32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3C0ED055-563B-4B10-8DC6-6EAE2EEEBE96.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85642FF9-3940-4196-9596-90409AF1CDB4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B973720E-2CC1-4F5C-A35A-33A152E2453E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2C71A155-C5F7-4F48-A548-0CAD5A323CA1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\69D8970F-E413-47BB-8E51-4C25B0F65E51.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DE141BF-025D-4313-94AF-BE13150C6458.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\30FD388D-99F9-41D2-8854-FF78FBA9A0D4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3BD317EE-88F4-4463-9AD3-B18F1BA4CF4B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5A4A4C8D-81A4-4A1E-828D-53C15D3B8E3C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefItem.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceType.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\bin\ffmpeg.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D8386F07-7A2B-4DD3-AD23-8470B80B7689.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\95117CD9-4859-4C6E-BC58-4F817E9D5D4F.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exeJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\09F292F7-25DB-49F7-A863-83DCD2ABC616.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DF5BF7F7-C204-4F6E-BDB8-666A53DFCC58.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A488E6B9-0DA7-4E32-A2E6-0510CBE81B41.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F48570A2-D00B-4280-B381-BB9A952FE8AA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\376A9C13-8D66-49EC-BAE5-D59BE13BC519.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78B61427-E90F-467F-9941-1E647350E6F6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D0703B82-CC0F-4B4A-8AFC-08124B0ADA6C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0CC1D8C2-57EB-4427-842F-BCD32F2FCCF3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2E96F5B2-11F5-42D0-84A2-353DDC3609FC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\41B94656-9497-45C3-82DC-9BE77D93133C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\19FD5D1D-3F76-49D6-9C4F-44A29B304EC0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD2CD91D-2928-4324-BB1E-36DEC301E63C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cp80_Q3D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A1617BEA-2E4A-4A92-B235-509245665AFC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\mingwm10.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\68260755-F5CB-4EB9-9CAC-7CB9FEA5C753.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\d3dx9_31.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E1F00F2A-EFD1-4AEB-A689-6A8465BCF5FA.dleJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C980CB3 DirectXUpdateGetSetupInformation,GetModuleFileNameA,GetLastError,_strnlen,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,6_2_6C980CB3
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97F070 GetPrivateProfileIntA,_strnlen,CharLowerA,_strnlen,_strnlen,_strnlen,CharLowerA,_strnlen,_strnlen,_strnlen,_strnlen,6_2_6C97F070
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97C99A _realloc,GetPrivateProfileSectionNamesA,6_2_6C97C99A
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98097D _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,_strrchr,GetPrivateProfileStringA,GetVersionExA,GetLastError,6_2_6C98097D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97C01B _memset,GetPrivateProfileStringA,6_2_6C97C01B
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98680F _strnlen,GetPrivateProfileStringA,6_2_6C98680F
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97EA87 GetSystemDirectoryA,GetLastError,GetPrivateProfileStringA,lstrcmpA,lstrcmpA,_strnlen,lstrcmpA,lstrcmpA,6_2_6C97EA87
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97D792 GetPrivateProfileStringA,6_2_6C97D792
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeFile created: C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\README.txtJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPPJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia CuratorJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Ortelia Curator.lnkJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Curator Help.lnkJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Deactivate Licence.lnkJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Ortelia Space.lnkJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Space Help.lnkJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Uninstall.lnkJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E27A50 IsIconic,GetWindowPlacement,GetWindowRect,5_2_03E27A50
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03EBF9F8 GetParent,GetParent,IsIconic,GetParent,5_2_03EBF9F8
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E8B7D6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,wsprintfA,5_2_03E8B7D6
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ab8e45e-009c-4c9f-aa4d-05ae8aa5a6d1}\Programmable VersionJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contain functionality to detect virtual machines
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: VMWare VMWare VMWare VMWare 5_2_03E73BF3
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model FROM Win32_DiskDrive
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProductName FROM Win32_SoundDevice
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeWindow / User API: threadDelayed 495Jump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeWindow / User API: threadDelayed 9504Jump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21B682FC-63BD-461C-A9EF-F533563AAD47.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EBD84E0B-137A-45E2-A63E-EC1D98852828.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_StartProgram.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\122557DC-CABF-4806-AFA1-B0A0DD9C8C5F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B420ABA8-6E6B-4A31-82A2-CA5AE2B66577.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060BCDDB-FC6B-4360-9E37-A7B42C6C4D23.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D28CD4B-2103-4E99-B1EE-C338242E165D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060F2106-8CEF-4DC9-9E80-27D654FE2014.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\HlslUnique.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CF3378B6-F19D-488D-9361-9C35F8382722.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2690162E-A224-4267-AE70-413D8C0912A8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA393DA1-CDFA-4C96-8490-DE024F8FDABC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2F605354-314D-4775-86E4-1F733550B227.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98813502-F9E2-4DDD-BB21-02762CF9583A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3237CF29-DB73-47D8-B4B9-A6CE2E1E60F1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D045960-EAC2-4C40-9BBF-10F32F7FA305.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\894B077B-D372-4166-8F39-F188F9C3C237.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2A4F38AA-1942-4466-A306-0B85AB327BBB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\338BF88C-5F15-408F-8DC2-614E31D333B2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceMatrix.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SetTexturePixel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\ssleay32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CE741BA0-8AE3-4191-9F2E-EF8928892D37.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A19F6C27-85A3-45F3-A17B-9C1107E7A09A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1ABC2216-3D9A-4B62-95CA-1ACA029F703E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EAD7434-29D5-4CA1-9700-B6A770FBD7F7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMObject.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B18ED5B7-4FAC-4C2B-840E-58BEFB419617.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\wkhtmltopdf.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\809FD14E-C408-4DE6-BC3D-AB69C47238F6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DE5B0C2-DDAC-4927-AC0F-73D422863D69.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\psapi.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F26BB40B-B196-4AB9-B59E-FA7C8FF436F9.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libgcc_s_dw2-1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMCommand.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F467CCEE-F308-4741-A1FE-3D58B78C7AF1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E2D1C95B-1B84-4D94-A373-BEBABADF7AEE.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5FE055B0-4269-4B25-9F31-157C835EC678.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0E43F737-C7AA-491D-B3A5-C6B0D9DC6483.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunPosition.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7805644A-FB2C-4BA2-8A8B-3D73D441D338.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B002068-B627-41F2-95CD-E45489A5142F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B91B38D-F453-4EC9-83C3-6FBB48B87A62.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BED6EA12-2615-49CB-BBBF-67EE0EC7AF8B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD626E09-F497-4A34-9032-47AD4D2BCBD7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\624FAFE1-326D-4444-8768-D0D405FE0D23.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8C3D0983-CC73-4A3D-AB5A-9D40D9FD6E1D.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\StartPathChannel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunctionParameter.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D5DE69E6-690D-4A06-ACE7-96BB143367DD.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\KeepRunning.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6918910A-F8BA-43C4-B8D4-CD6587D0F67C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceValue.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DEA1FCC-A682-47D7-A525-DC288850A3BF.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DF6BAF0-3AED-407A-926F-35B2BBB62D0C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6B8855CC-B67A-404A-8941-395C1314C2AC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\688FBE45-F29E-4FFE-8CBF-68BFE093B1EC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9388FDD-EEEA-459F-9246-E7AC017E0062.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7D101BC8-E798-42FF-95E7-216902731C0E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21A8923D-B908-4104-AE88-B6718D8A8678.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BAC7326D-6DDC-4ECF-B821-6A52C8287DC7.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\89E051CA-4273-4EB9-89C8-5FD0CDA1B026.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BB029F54-D13C-47B3-A75A-B84581CDC303.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BA3FB7B-C452-4ED1-BAC4-529877249C28.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A5B6098-82B6-4BF0-A6CC-C36770E10685.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BC052C38-2D5D-4F0C-A0CA-654D0AFC584A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceThisClass.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1352B30C-2B0C-411F-8791-2107E78FF8E3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4236B155-BEEB-4806-A4E7-0A3610B5CEFD.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EE7E3C5-5969-4117-A8A4-074D7C9986E3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AE617852-4B25-44C1-920A-01A53B2B5EAB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EB69314C-9A02-43D7-BB94-EA27A32AA120.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefFromContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceText.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BB8F3A3-58FA-48A5-BDC3-E984862BABBE.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A550BB21-BE5C-4675-B53E-3FA246F76538.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A6078ED-69D4-4DB4-9ADB-A3987B26369A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EF1644CB-C99E-44B9-B07C-EC8A9E9F2CBA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9CEB566-E5C4-4B13-9DDF-908FE6B6AFA4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F7709F2F-62CF-4D08-A1DC-BC736F85E6DC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04E1045F-0DCF-4FEA-89A6-A1B4EB85ECFA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D180017B-B44B-4847-98CC-48453821DEAC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6AA381C0-E9D5-4EAE-A7F6-19BED1B1F662.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7B54C17D-1AB0-4882-9612-9628DAB6CA37.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B6225961-01DA-463D-B5F7-3AD6541F5BD8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F31897FC-64C3-4FF7-96E0-854BB1E13046.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22B59A05-4C3F-4936-862D-3656FB99C6F3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C682A43C-22B3-4CDD-A0EA-CF1B3FAE63D5.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cm80_Q3D.DLLJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FBB1D22B-CBB2-4A2A-AAC3-4BB57F144FD4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7A4813B2-0BE6-408B-BD46-8A20E747A47E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceInfoValue.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA15B5D1-654C-4C0A-BE3B-EC3E5890D88A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceItem.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\676D2DE0-210E-4A1F-81AA-11CDB316796A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A1C3637-A047-4740-A761-1247CEF0E940.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2B10BAE4-83A1-41F5-87CD-EB69473D6538.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7DFC389A-BDFD-4092-93AB-D0B93A030DD6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\563D75D1-D67B-403A-B8B6-FA6094943330.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59A93B79-C960-4E83-A1AE-6D3811315C09.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C0EF3703-84D2-4C4D-B9FF-BD8ADE7E9AE4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3423DAD4-77ED-4B4C-9F00-59CB533388C6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileSaver.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunction.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11737E4A-A69C-4946-9D48-E560F3F29A7B.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Ortelia Curator\uninst.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3FF51E2F-6D04-4297-BC69-079C555FF765.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AC73F78E-667D-4DB5-B22B-BCA1D98A1540.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6514FE12-88CF-480B-A3D8-7730C0CD23B3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78167FBA-D3FF-4D4D-B6A3-51AAB049F11C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6092038D-B179-4C10-8D7F-04F35E9EFEA4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B028B538-D554-434B-88CE-AA79A717C396.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BDAC0FBF-AEE8-4E6C-918C-2672F89026E4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C664AE43-1451-4760-8A20-38004EDE1C65.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libeay32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E1F00F2A-EFD1-4AEB-A689-6A8465BCF5FA.dleJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceVector.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\72180A77-77D5-427D-8A3E-D5838CC249C1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8817838B-4E9E-46B5-85F9-178A97C6EF4F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\FCollada.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F5BF6106-8544-495D-9BCA-E69A6F42BF95.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3090BC3C-E6B0-4CFA-8D3E-14D988A17828.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Command2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCommand.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\83783433-179C-4997-A4A5-C6F820CBFDB6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59283614-4E90-42B0-83A1-8FD225004619.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\10C20C0A-7A55-4084-8676-95E5699BCEC2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FolderDialog.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1DA5051C-C13B-4A3F-9EAB-7AA9C79FB8E0.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\UserInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04EB85EB-DA14-4E18-9F9C-A0EFF6837B00.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\HighPoly.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D01A1329-F854-4AFA-BDDC-70A1CD5AE25B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E34823CE-646E-46FE-8B36-0B9483ABB6F5.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2DFC141F-B06C-47B3-B7F9-2ABFB08C190E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8B959D25-5101-437B-A908-359E2AE36CF2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A97F0FB-BE04-46CC-93C0-59465B4775F9.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11111111-1111-1111-1111-111111111111.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_MTCaller.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C57A9D3F-0C29-41E0-B11E-BBED4C17AAF8.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6BE5BC8E-8036-4BDD-8FDA-591F6BDB68BB.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileLoader.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\18F9C150-2530-4B16-9D95-D31ECC69425F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\00560937-855B-4DF7-8B7A-48D321F7F819.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonPosition.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1118038E-554C-492C-8E03-928F76A7EEC0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Directory.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\522A4C57-2831-4C4D-B28F-495F325AC9C3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\PersonalEncrypt.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6E6FB247-4627-4FBE-8973-48344F23881E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CBCCC586-CAE0-45AE-9689-F5C179360700.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2346A6DF-5942-4CB5-9908-E59CEC72841F.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCreation.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AB37DFCA-32A2-4A4B-9DD9-09282EE3037A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefContainer.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3164909D-47F3-43EF-8DF8-E8E95E8E22ED.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98012B2B-BF6C-4D22-BEDE-267F5901889B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EACC7F74-0344-4C1F-9BC2-400EC0C7C499.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22E1776C-E806-4FD0-BF53-92AD157F71FF.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7AF0080E-C5C3-4BE5-8FB9-A9E2CF6FC9F1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Internet.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\145D3B82-FDC2-4925-A66B-7DCFFF022A97.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE69CCC4-CFC1-4362-AC81-767D199BBFC3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\ClassType.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5F672C7F-7F68-408E-88AE-286A3F2F873A.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B6063A5-A3B4-4025-B7A4-5BD4E1E2E7AA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\63C9809D-F615-4FED-A77C-B8F071AA3DB0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE8C55B0-3057-4F3D-AB5A-5791EEA8D946.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3521B4CA-AE38-4009-8FF9-D18505384F69.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceChannel.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9E2350D9-A93D-4CC1-BCCE-930A60AF14A4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85FA981B-D6EA-415A-A1D6-675D83C7CAC6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DD461D0-7C4E-45EF-91AB-F211F9B920F2.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4B22839D-2545-400D-A5C9-D977058037AA.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Ortelia Curator\DirectX\dsetup32.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3C0ED055-563B-4B10-8DC6-6EAE2EEEBE96.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2C71A155-C5F7-4F48-A548-0CAD5A323CA1.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85642FF9-3940-4196-9596-90409AF1CDB4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B973720E-2CC1-4F5C-A35A-33A152E2453E.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\69D8970F-E413-47BB-8E51-4C25B0F65E51.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DE141BF-025D-4313-94AF-BE13150C6458.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\30FD388D-99F9-41D2-8854-FF78FBA9A0D4.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3BD317EE-88F4-4463-9AD3-B18F1BA4CF4B.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5A4A4C8D-81A4-4A1E-828D-53C15D3B8E3C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefItem.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceType.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\bin\ffmpeg.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D8386F07-7A2B-4DD3-AD23-8470B80B7689.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\95117CD9-4859-4C6E-BC58-4F817E9D5D4F.dllJump to dropped file
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exeJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunInfo.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\09F292F7-25DB-49F7-A863-83DCD2ABC616.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DF5BF7F7-C204-4F6E-BDB8-666A53DFCC58.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A488E6B9-0DA7-4E32-A2E6-0510CBE81B41.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F48570A2-D00B-4280-B381-BB9A952FE8AA.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\376A9C13-8D66-49EC-BAE5-D59BE13BC519.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78B61427-E90F-467F-9941-1E647350E6F6.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D0703B82-CC0F-4B4A-8AFC-08124B0ADA6C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0CC1D8C2-57EB-4427-842F-BCD32F2FCCF3.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2E96F5B2-11F5-42D0-84A2-353DDC3609FC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\41B94656-9497-45C3-82DC-9BE77D93133C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\19FD5D1D-3F76-49D6-9C4F-44A29B304EC0.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD2CD91D-2928-4324-BB1E-36DEC301E63C.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A1617BEA-2E4A-4A92-B235-509245665AFC.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\mingwm10.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\channels\68260755-F5CB-4EB9-9CAC-7CB9FEA5C753.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\d3dx9_31.dllJump to dropped file
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-102336
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeAPI coverage: 6.2 %
Source: C:\Windows\System32\SrTasks.exe TID: 6416Thread sleep time: -70000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe TID: 1928Thread sleep time: -495000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe TID: 1928Thread sleep time: -9504000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT version FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Domain FROM Win32_ComputerSystem
Source: C:\Windows\System32\SrTasks.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405D07 FindFirstFileA,FindClose,0_2_00405D07
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405331
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E71494 GlobalFix,GlobalUnWire,FindFirstFileA,__itoa,FindNextFileA,__itoa,FindClose,FindClose,__itoa,GetLastError,GlobalAlloc,GlobalFix,GlobalUnWire,5_2_03E71494
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E33FEB __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,5_2_03E33FEB
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C344B1 FindFirstFileA,FindClose,6_2_00C344B1
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97A3EB FindFirstFileA,FindClose,6_2_6C97A3EB
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C981473 WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_strrchr,WideCharToMultiByte,_memset,FindFirstFileA,FindClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,6_2_6C981473
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97D86D GetWindowsDirectoryA,GetLastError,_strrchr,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,6_2_6C97D86D
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97E7AF lstrcmpA,_memset,GetSystemDirectoryA,GetLastError,StringFromGUID2,WideCharToMultiByte,GetLastError,FindFirstFileA,FindNextFileA,FindClose,6_2_6C97E7AF
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C97FB07 _memset,_memset,GetWindowsDirectoryA,GetLastError,_memset,FindFirstFileA,lstrcmpA,lstrcmpA,GetFileAttributesA,GetLastError,FindNextFileA,FindClose,6_2_6C97FB07
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E7EEC3 GetSystemInfo,5_2_03E7EEC3
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual Platform
Source: SrTasks.exe, 0000000C.00000003.2775781031.0000021DF81CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 0000000C.00000003.2371444649.0000021DF81CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: deactivate.exe, 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.0000000003FA1000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3603619116.0000000000414000.00000040.00000001.01000000.00000011.sdmpBinary or memory string: IP_OFFLINE_ERRORIP_ACTIVATE_OFFLINE_ERRORIP_OFFLINE_STARTED[varWarningDaysLeft][varSupportWebSite][varProductName]Error %ld: Exception Code %ld - Error %ld - IP_ERROR_SYSTEM_CLOCK_INVALIDIP_LICENSE_VALIDATION_WARNINGIP_LICENSE_VALIDATION_FAILEDIP_LICENSE_FAILEDIP_LICENSE_REVOKEDIP_LICENSE_INVALIDIP_SERVER_VALIDATION_FAILIP_ERROR_HOSTSIP_ERROR_7IP_ERROR_100IP_ERROR_200IP_ERROR_2IP_ERROR_MODULE_NOT_ACTIVEIP_ERROR_8IP_ERROR_KEYGENIP_ACTIVATION_FAILEDTEXTIP_ACTIVATION_FAILCODEIP_LANGUAGE_CODE&#$(F()@#)$*&R&VHjDH*(#9@(@*&$V*><UJ&. %ld.%ld.%ld.%ld %ld.%ld.%ld %ld.%ld %ldIP_VERSIONImpactNONEIP_ERROR_TERMSERVIP_ERROR_VIRTUALMACHINEIP_ERRORIP_ERROR_%dIP_ENTER_LICENSEID(%ld) REGISTEREDThe application was launched while holding the "Shift" key on your keyboard. Do you wish to activate or reactivate your application now?Activate ApplicationThis application was protected by a Trial version of SoftwareKey's Instant PLUSTrial MessageThis application was protected by a BETA version of SoftwareKey's Instant PLUSBETA Message
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ActivationFile.lic:Version<html><head><meta http-equiv="REFRESH" content="0; URL=%s"></head><body style="font-family: Verdana; font-size: 8pt;"><p>Please <a href="%s">click here</a> if you are not redirected in the next few seconds.</p></body></html>%s%s?L=%s&P=%s&V=%s&ID=%s&D=%s%ld|%s|%sVirtual PCMicrosoft Virtual Machine BusWin32_ComputerSystemVMware Virtual PlatformWin32_CDROMDriveNameWin32_DiskDriveModelVMWare VirtualVMWareVBOX CD-ROMVersionWin32_BIOSSMBIOSBIOSVersionVirtualBoxVBOX - 1ManufacturerXenXen - 0Parallels Virtual PlatformParallels Display AdapterParallels Ethernet AdapterPRLS - 1User32SetSecurityInfoSetEntriesInAclAGetSecurityInfosoftware\classes\vdspYAP00667SAA-48238810806139975959bd8768d74383a8ad6e0f2f79b59a:LM:%s:%s:CU:%s:%s%s%s\Software\Classes\CLSID\%s\Software\Classes\CLSID\:cu::CU:HKEY_CURRENT_USERHKEY_CLASSES_ROOT:CR:HKEY_LOCAL_MACHINE:kernel32IsWow64ProcessGetSystemWow64DirectoryA\System32\GetSystemWindowsDirectoryAinet_addrinet_ntoaThe NCBASTAT on LANA %d return code is: 0x%xThe NCBRESET on LANA %d return code is: 0x%xThe NCBENUM return code is: 0x%x Netbiosnetapi32.dllSendARPIphlpapi.dllExcludeFilesSoftware\Microsoft\Windows\CurrentVersion\Applets\Defrag\AppStartParamsSoftware\Symantec\Speed Disk Unmovable Files\AttributesDEST* NETAPI32.DLLGetAdaptersInfoiphlpapi.dllVMware Virtual Ethernet AdaptermachnumCannot unregister class!Cannot close window!Cannot communicate with machnm1.exe!Cannot execute machnm1.exe!Cannot register class!DPPPDLL32Cannot find machnm1.exe!Fatal ErrorMachnm1.exe%.1s\\.\Machnm32\\.\Machnm64 ATA Device<SystemIdentifier name="%s" type="%s" value="%s"></SystemIdentifier></Identifiers>SoundCardIdentifier1SoundCardIdentifierCdromIdentifier1CdromIdentifierMotherboardSerialIdentifier1MotherboardSerialIdentifierMotherboardModelIdentifier1MotherboardModelIdentifierHardDriveScsiSerialIdentifier4HardDriveScsiSerialIdentifier3HardDriveScsiSerialIdentifier2HardDriveScsiSerialIdentifier1HardDriveScsiSerialIdentifierHardDriveSerialIdentifier4HardDriveSerialIdentifier3HardDriveSerialIdentifier2HardDriveSerialIdentifier1HardDriveSerialIdentifierHardDriveScsiModelIdentifier4HardDriveScsiModelIdentifier3HardDriveScsiModelIdentifier2HardDriveScsiModelIdentifier1HardDriveScsiModelIdentifierHardDriveModelIdentifier4HardDriveModelIdentifier3HardDriveModelIdentifier2HardDriveModelIdentifier1HardDriveModelIdentifierVideoCardIdentifier1VideoCardIdentifierMemorySizeIdentifier1MemorySizeIdentifierProcessorInfoIdentifier1ProcessorIdentifierBiosDateIdentifier1BiosDateIdentifierNicIdentifier2NicIdentifier1NicIdentifier<Identifiers>Device Description\Device\Video0HARDWARE\DEVICEMAP\VIDEOTAP-Win32 AdapterVirtualBox Host-OnlySONICWALLVPN ADAPTERVMWARE VIRTUALTAP-Win32 AdapterVirtualBox Host-OnlySONICWALLVPN ADAPTERVMWARE VIRTUALGetAdaptersAddressesDomainSELECT Domain FROM Win32_ComputerSystemModelSELECT Model FROM Win32_DiskDriveSELECT SerialNumber FROM Win32_PhysicalMediaSELECT SerialNumber FROM Win32_DiskDriveSEL
Source: deactivate.exeBinary or memory string: renew your subscription to continue using [varProductName].</IP_PERIODIC_EXPIRED> <IP_ERROR_KEYGEN>Fatal Error. The Application failed to activate. Please contact technical support.</IP_ERROR_KEYGEN> <IP_ERROR_VIRTUALMACHINE>This application will not
Source: deactivate.exe, 00000005.00000002.1925084693.0000000004187000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000002.1925084693.0000000004168000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1923924434.0000000004187000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1913327985.0000000004165000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1923966547.0000000004161000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1923983869.0000000004166000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2422010484.0000000003D36000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2429331593.0000000003D54000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2424948963.0000000003D55000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3608008418.0000000003D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <IP_ERROR_VIRTUALMACHINE>This application will not run from within a virtual machine</IP_ERROR_VIRTUALMACHINE>
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWare Virtual
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWare
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE VIRTUAL
Source: deactivate.exe, deactivate.exe, 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, QuestViewer.exe, 0000000F.00000003.2425096015.0000000003DD9000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2426880795.0000000003DD8000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2425769696.0000000003DD9000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2424765694.0000000003DD9000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.0000000003FA1000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3603619116.0000000000414000.00000040.00000001.01000000.00000011.sdmp, QuestViewer.exe, 0000000F.00000002.3608407761.0000000003DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IP_ERROR_VIRTUALMACHINE
Source: deactivate.exeBinary or memory string: un from within a virtual machine</IP_ERROR_VIRTUALMACHINE> <IP_ERROR_TERMSERV>This application will not run from within a Terminal Services session</IP_ERROR_TERMSERV> <IP_ACTIVATION_FILENAME>ActivationFile.htm</IP_ACTIVATION_FILENAME> <IP_DEACTIVATE_
Source: QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual Ethernet Adapter
Source: deactivate.exe, 00000005.00000002.1924918994.0000000003EEC000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ActivationFile.lic:Version<html><head><meta http-equiv="REFRESH" content="0; URL=%s"></head><body style="font-family: Verdana; font-size: 8pt;"><p>Please <a href="%s">click here</a> if you are not redirected in the next few seconds.</p></body></html>%s%s?L=%s&P=%s&V=%s&ID=%s&D=%s%ld|%s|%sWin32_BaseBoardManufacturerMicrosoft CorporationVirtual PCMicrosoft Virtual Machine BusWin32_ComputerSystemVMware Virtual PlatformWin32_CDROMDriveNameWin32_DiskDriveModelVMWare VirtualVMWareVBOX CD-ROMVersionWin32_BIOSSMBIOSBIOSVersionVirtualBoxVBOX - 1XenXen - 0Parallels Virtual PlatformParallels Display AdapterParallels Ethernet AdapterPRLS - 1User32SetSecurityInfoSetEntriesInAclAGetSecurityInfosoftware\classes\vdspYAP00667SAA-48238810806139975959bd8768d74383a8ad6e0f2f79b59a:LM:%s:%s:CU:%s:%s%s%s\Software\Classes\CLSID\%s\Software\Classes\CLSID\:cu::CU:HKEY_CURRENT_USERHKEY_CLASSES_ROOT:CR:HKEY_LOCAL_MACHINE:kernel32IsWow64ProcessGetSystemWow64DirectoryA\System32\GetSystemWindowsDirectoryAinet_addrinet_ntoaThe NCBASTAT on LANA %d return code is: 0x%xThe NCBRESET on LANA %d return code is: 0x%xThe NCBENUM return code is: 0x%x Netbiosnetapi32.dllSendARPIphlpapi.dllExcludeFilesSoftware\Microsoft\Windows\CurrentVersion\Applets\Defrag\AppStartParamsSoftware\Symantec\Speed Disk Unmovable Files\AttributesDEST* NETAPI32.DLLGetAdaptersInfoiphlpapi.dllVMware Virtual Ethernet AdaptermachnumCannot unregister class!Cannot close window!Cannot communicate with machnm1.exe!Cannot execute machnm1.exe!Cannot register class!DPPPDLL32Cannot find machnm1.exe!Fatal ErrorMachnm1.exe%.1s\\.\Machnm32\\.\Machnm64 ATA Device<SystemIdentifier name="%s" type="%s" value="%s"></SystemIdentifier></Identifiers>SoundCardIdentifier1SoundCardIdentifierCdromIdentifier1CdromIdentifierMotherboardSerialIdentifier1MotherboardSerialIdentifierMotherboardModelIdentifier1MotherboardModelIdentifierHardDriveScsiSerialIdentifier4HardDriveScsiSerialIdentifier3HardDriveScsiSerialIdentifier2HardDriveScsiSerialIdentifier1HardDriveScsiSerialIdentifierHardDriveSerialIdentifier4HardDriveSerialIdentifier3HardDriveSerialIdentifier2HardDriveSerialIdentifier1HardDriveSerialIdentifierHardDriveScsiModelIdentifier4HardDriveScsiModelIdentifier3HardDriveScsiModelIdentifier2HardDriveScsiModelIdentifier1HardDriveScsiModelIdentifierHardDriveModelIdentifier4HardDriveModelIdentifier3HardDriveModelIdentifier2HardDriveModelIdentifier1HardDriveModelIdentifierVideoCardIdentifier1VideoCardIdentifierMemorySizeIdentifier1MemorySizeIdentifierProcessorInfoIdentifier1ProcessorIdentifierBiosDateIdentifier1BiosDateIdentifierNicIdentifier2NicIdentifier1NicIdentifier<Identifiers>DomainSELECT Domain FROM Win32_ComputerSystemModelSELECT Model FROM Win32_DiskDriveSELECT SerialNumber FROM Win32_PhysicalMediaSELECT SerialNumber FROM Win32_DiskDriveSELECT Name FROM Win32_CDROMDriveProductNameSELECT ProductName FROM Win32_SoundDeviceversionSELECT version FROM Win32_BIOSManufacturerSELECT Manufacturer FROM Win32_BaseBoardSerialNumbe
Source: deactivate.exeBinary or memory string: ease contact technical support.</IP_ERROR_KEYGEN> <IP_ERROR_VIRTUALMACHINE>This application will not run from within a virtual machine</IP_ERROR_VIRTUALMACHINE> <IP_ERROR_TERMSERV>This application will not run from within a Terminal Services session</IP_
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeAPI call chain: ExitProcess graph end nodegraph_0-3265
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeAPI call chain: ExitProcess graph end nodegraph_5-102338
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeFile opened: NTICE
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E3C74A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_03E3C74A
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C33647 GetWindowsDirectoryA,OutputDebugStringA,CreateDirectoryA,GetLastError,__wstrtime,__wstrtime,6_2_00C33647
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D2E
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_00425D60 push dword ptr fs:[00000030h]5_2_00425D60
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E1D650 push dword ptr fs:[00000030h]5_2_03E1D650
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E485FD __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,5_2_03E485FD
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E1F410 _memset,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoA,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAddVectoredExceptionHandler,KiUserExceptionDispatcher,5_2_03E1F410
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E3C74A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_03E3C74A
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E36878 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_03E36878
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E38C68 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_03E38C68
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C37E8A SetUnhandledExceptionFilter,6_2_00C37E8A
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C3765E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00C3765E
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_00C41B48 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit,6_2_00C41B48
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C9956F8 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9956F8
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: 6_2_6C98AE6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C98AE6A
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeProcess created: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe "C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe" /OPENLFJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E745CD AllocateAndInitializeSid,GetLastError,FreeSid,5_2_03E745CD
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_0044DFC5 cpuid 5_2_0044DFC5
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,5_2_03EBE021
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: GetLocaleInfoA,5_2_03E49348
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,PathFindFileNameA,_memset,GetModuleHandleA,GetProcAddress,LoadLibraryExA,5_2_03E314BB
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: GetLocaleInfoA,6_2_00C412F5
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeCode function: GetLocaleInfoA,6_2_6C996092
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03ED6301 GetSystemTimeAsFileTime,__aulldiv,5_2_03ED6301
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E7EC8F _memset,_sprintf,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,_malloc,_malloc,LookupAccountNameA,GetLastError,GetLastError,5_2_03E7EC8F
Source: C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exeCode function: 5_2_03E44DFD __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,5_2_03E44DFD
Source: C:\Users\user\Desktop\CuratorStandardSetup.exeCode function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405A2E
Source: C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		22
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		31
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		3
Windows Service		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol31
Input Capture		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		3
Windows Service		1
Install Root Certificate		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook11
Process Injection		3
Software Packing		NTDS177
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		LSA Secrets461
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
Masquerading		Cached Domain Credentials34
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync11
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job34
Virtualization/Sandbox Evasion		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadow1
Remote System Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1439300 Sample: CuratorStandardSetup.exe Startdate: 10/05/2024 Architecture: WINDOWS Score: 40 46 Multi AV Scanner detection for dropped file 2->46 48 Machine Learning detection for dropped file 2->48 50 Contain functionality to detect virtual machines 2->50 52 3 other signatures 2->52 7 CuratorStandardSetup.exe 7 85 2->7         started        11 SrTasks.exe 1 2->11         started        process3 file4 26 C:\Program Files (x86)\...\uninst.exe, PE32 7->26 dropped 28 C:\Program Files (x86)\...\deactivate.exe, PE32 7->28 dropped 30 C:\Program Files (x86)\...\OrteliaSpace.exe, PE32 7->30 dropped 32 6 other files (1 malicious) 7->32 dropped 58 Writes many files with high entropy 7->58 13 OrteliaCurator.exe 1 379 7->13         started        16 DXSETUP.exe 11 18 7->16         started        19 deactivate.exe 6 2 7->19         started        21 conhost.exe 11->21         started        signatures5 process6 file7 34 C:\Users\user\AppData\...\wkhtmltopdf.exe, PE32 13->34 dropped 36 C:\Users\user\AppData\Local\...\ffmpeg.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\Local\...\cr80_Q3D.dll, PE32 13->38 dropped 42 208 other files (203 malicious) 13->42 dropped 23 QuestViewer.exe 13->23         started        40 C:\Users\user\AppData\Local\...\dxupdate.dll, PE32 16->40 dropped 44 Installs new ROOT certificates 16->44 signatures8 process9 signatures10 54 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 23->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->56

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CuratorStandardSetup.exe1%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe100%Joe Sandbox ML
C:\Program Files (x86)\Ortelia Curator\DirectX\DSETUP.dll0%ReversingLabs
C:\Program Files (x86)\Ortelia Curator\DirectX\DSETUP.dll0%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe0%ReversingLabs
C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe0%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\DirectX\dsetup32.dll0%ReversingLabs
C:\Program Files (x86)\Ortelia Curator\DirectX\dsetup32.dll0%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe0%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe0%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe15%VirustotalBrowse
C:\Program Files (x86)\Ortelia Curator\uninst.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\FCollada.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\FCollada.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cm80_Q3D.DLL0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cm80_Q3D.DLL0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cp80_Q3D.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cp80_Q3D.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cr80_Q3D.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cr80_Q3D.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\d3dx9_31.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\d3dx9_31.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\psapi.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\psapi.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\HighPoly.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\HighPoly.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\channels\00560937-855B-4DF7-8B7A-48D321F7F819.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\channels\00560937-855B-4DF7-8B7A-48D321F7F819.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04E1045F-0DCF-4FEA-89A6-A1B4EB85ECFA.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04E1045F-0DCF-4FEA-89A6-A1B4EB85ECFA.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://www.collada.org/2005/11/COLLADASchemautf-8techniquelibrary_nodesFArchiveXMLbad0%Avira URL Cloudsafe
http://www.ortelia.com=0%Avira URL Cloudsafe
http://www.collada.org/2005/11/COLLADASchema0%Avira URL Cloudsafe
http://www.quest3d.com)HttpControl0%Avira URL Cloudsafe
http://www.BetaPlace.com.?0%Avira URL Cloudsafe
http://www.quest3d.com/This0%Avira URL Cloudsafe
http://www.quest3d.com)0%Avira URL Cloudsafe
http://www.betaplace.com.0%Avira URL Cloudsafe
http://www.betaplace.com0%Avira URL Cloudsafe
http://www.collada.org/2005/11/COLLADASchemautf-8techniquelibrary_nodesFArchiveXMLbad1%VirustotalBrowse
http://www.quest3d.com/This0%VirustotalBrowse
http://www.BetaPlace.comEContinuare0%Avira URL Cloudsafe
http://www.ortelia.comu0%Avira URL Cloudsafe
http://www.betaplace.com.0%VirustotalBrowse
http://www.quest3d.com/0%Avira URL Cloudsafe
http://www.betaplace.com0%VirustotalBrowse
http://www.collada.org/2005/11/COLLADASchema0%VirustotalBrowse
http://www.ortelia.coms0%Avira URL Cloudsafe
http://www.BetaPlace.com.?0%VirustotalBrowse
http://www.ortelia.com/orteliacurator/0%Avira URL Cloudsafe
http://www.quest3d.com/Quest3D0%Avira URL Cloudsafe
http://www.ortelia.comm0%Avira URL Cloudsafe
http://www.quest3d.com/0%VirustotalBrowse
http://www.ortelia.com0%Avira URL Cloudsafe
http://www.quest3d.com/Quest3D0%VirustotalBrowse
http://www.ortelia.com0%VirustotalBrowse
http://www.ortelia.com/orteliacurator/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0vo-aacenc.txt.14.drfalse
    		high
    https://secure.softwarekey.com/solo/customers/SQuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://www.quest3d.com)HttpControlOrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011E56000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://test.softwarekey.com/unlock/test.aspdeactivate.exe, deactivate.exe, 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003EEC000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, QuestViewer.exe, 0000000F.00000002.3603619116.00000000004F4000.00000040.00000001.01000000.00000011.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/vo-aacenc.txt.14.drfalse
          		high
          http://www.gnu.org/philosophy/why-not-lgpl.htmllibiconv.txt.14.drfalse
            		high
            http://ocsp.thawte.com0OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.ortelia.com=QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://secure.softwarekey.com/solo/customers/forgotpw.aspQuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorErrorCuratorStandardSetup.exefalse
                		high
                http://www.collada.org/2005/11/COLLADASchemautf-8techniquelibrary_nodesFArchiveXMLbadOrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.openssl.org/support/faq.htmldeactivate.exe, deactivate.exe, 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmp, deactivate.exe, 00000005.00000002.1924918994.0000000003EEC000.00000040.00001000.00020000.00000000.sdmp, QuestViewer.exe, QuestViewer.exe, 0000000F.00000002.3603619116.00000000004F4000.00000040.00000001.01000000.00000011.sdmp, QuestViewer.exe, 0000000F.00000002.3609273645.000000000407B000.00000040.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://www.BetaPlace.com.?DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.collada.org/2005/11/COLLADASchemaOrteliaCurator.exe, 0000000E.00000003.2310724437.0000000013208000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorCuratorStandardSetup.exefalse
                    		high
                    http://www.quest3d.com/ThisOrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.thawte.com/ThawteTimestampingCA.crl0OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.quest3d.com)OrteliaCurator.exe, 0000000E.00000003.2310724437.0000000011E56000.00000004.00000020.00020000.00000000.sdmp, OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://secure.softwarekey.com/solo/customers/forgotpw.asprQQuestViewer.exe, 0000000F.00000002.3608008418.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2426970111.0000000003D50000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.betaplace.com.DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.betaplace.comDXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.BetaPlace.comEContinuareDXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://secure.softwarekey.com/solo/customers/MMyEdeactivate.exe, 00000005.00000003.1923924434.00000000041B3000.00000004.00000020.00020000.00000000.sdmp, deactivate.exe, 00000005.00000003.1924001388.00000000041B4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.ortelia.comuQuestViewer.exe, 0000000F.00000002.3610844775.0000000006BEF000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.quest3d.com/OrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://secure.softwarekey.com/solo/customers/forgotpw.aspductQuestViewer.exe, 0000000F.00000003.2426970111.0000000003D50000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://fsf.org/libiconv.txt.14.drfalse
                              		high
                              http://www.BetaPlace.com.DXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                                		unknown
                                http://www.ortelia.comsQuestViewer.exe, 0000000F.00000003.2427522008.00000000065FA000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ortelia.com/orteliacurator/QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.BetaPlace.comDXSETUP.exe, 00000006.00000000.1911314044.0000000000C4C000.00000002.00000001.01000000.0000000B.sdmpfalse
                                  		unknown
                                  http://www.quest3d.com/Quest3DOrteliaCurator.exe, 0000000E.00000003.2310724437.00000000119CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://secure.softwarekey.com/solo/customers/QuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ortelia.commQuestViewer.exe, 0000000F.00000002.3610844775.0000000006BEF000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ortelia.comQuestViewer.exe, 0000000F.00000002.3607735159.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000002.3610289941.00000000065F9000.00000004.00000020.00020000.00000000.sdmp, QuestViewer.exe, 0000000F.00000003.2430734618.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.gnu.org/licenses/libiconv.txt.14.drfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1439300
                                      Start date and time:2024-05-10 05:09:31 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 11m 50s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:17
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:CuratorStandardSetup.exe
                                      Detection:MAL
                                      Classification:mal40.rans.evad.winEXE@11/411@0/0
                                      EGA Information:
                                      • Successful, ratio: 75%
                                      HCA Information:
                                      • Successful, ratio: 95%
                                      • Number of executed functions: 93
                                      • Number of non-executed functions: 337
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target QuestViewer.exe, PID 3284 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      05:12:11API Interceptor2987513x Sleep call for process: OrteliaCurator.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exehttps://download.autodesk.com/us/support/files/designreview/2018/EXE/ptb/SetupDesignReview.exeGet hashmaliciousUnknownBrowse
                                        https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                          https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                            https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                              https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msiGet hashmaliciousUnknownBrowse
                                                https://www.unrealengine.com/en-US/downloadGet hashmaliciousUnknownBrowse
                                                  https://www.unrealengine.com/en-US/downloadGet hashmaliciousUnknownBrowse
                                                    C:\Program Files (x86)\Ortelia Curator\DirectX\DSETUP.dllhttps://download.autodesk.com/us/support/files/designreview/2018/EXE/ptb/SetupDesignReview.exeGet hashmaliciousUnknownBrowse
                                                      https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                                        https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                                          https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngineGet hashmaliciousUnknownBrowse
                                                            https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msiGet hashmaliciousUnknownBrowse
                                                              https://www.unrealengine.com/en-US/downloadGet hashmaliciousUnknownBrowse
                                                                https://www.unrealengine.com/en-US/downloadGet hashmaliciousUnknownBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_D3DCompiler_42_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 913084 bytes, 6 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x64.cat", flags 0x4, ID 11125, number 1, extra bytes 20 in head, 82 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):919044
                                                                  Entropy (8bit):7.999571361748173
                                                                  Encrypted:true
                                                                  SSDEEP:24576:MDpsM5o0SU8j80MOpdoS2d8th4R61+U/NZ:msM5x9L0LpdoS2d4qRy+U/z
                                                                  MD5:A34039A6DCC7C42BE4D8716E8D73925E
                                                                  SHA1:CA342565C4D9B40E9E7313C2F63BDCEDD13EA2B5
                                                                  SHA-256:D2E14FC8CB9410CAAD5BD17C4ACFF2B6E060C552C432D11946A6905AEE216931
                                                                  SHA-512:6E0D8B640286905E7F6C10475CC74A02F115CF100DC6AD32CE660B1328FD36C856B39794352E2DD4D9268B1727A6FFF11A85C9A38A1CBBBFD33325F895FBB03A
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:MSCF............D...............u+..............H...........*...R...hi'.......$;....D3DCompiler_42.dll.....hi'...$;...D3DCompiler_42_x64.cat......'...$;...D3DCompiler_42_x64.inf.......'...$;...D3DCompiler_42_x64_xp.inf.>...X.'...$;...AUG2009_D3DCompiler_42_x64.inf..(....'...$;....infinst.exe.........[.... .....P..D..P...O..g..)Y...a..T..Q.F/...D.!2..htt...Fg`t.F..t.Fg`.D..3.}...Df.h.........o.~~..w'....@,...@>..2.w\.T..yd.a[{........6g.+id...p..&)N...4.9M.t...@@..@.0....}D_.W.../..@h..fh..........u..e.&..c..R$.........(.c...~/.^..{A...z....a{...G..8+.S..<.......;.M.Y.R..wj....P..S}.o*.....-.G..S.kF.N.R...'...lq.......BP...j{..m.q.n.R....V.F....X..e3....]...DM.y..ex....h......b.>..W|..............C._.?.../....Bs.3....;q.e...O...g.n.....y..".....u.E...D-Z...>.6V..N.5.>.1=.Q.....t.....'o.2^..Y{...4.....r^4....#!=[g..}...u.s..b.u...P.z......7.....y.s)..i..\..N.9..N..+W.f........e.....M....B.F.6..].8...R8b)&Sl.F37....q..bo6...A5..\ ...#.... ...

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_D3DCompiler_42_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):900598
                                                                  Entropy (8bit):7.998420689572084
                                                                  Encrypted:true
                                                                  SSDEEP:24576:wWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgor:Ro8NHi7/pAJioES
                                                                  MD5:683D8C01C5B5E1E94B6B5901C45927DA
                                                                  SHA1:7CC9B777F4CEA1CC977D48B11FE92E7BB2A17072
                                                                  SHA-256:36C9BE8C55F721C38110D56A6CCADA672E7566D89F77C738C94FCDF1A584ECF4
                                                                  SHA-512:85DA50FE4EC8A665612DB0101F9369D8E760BBF008BAA6BD28FC73D70259AA8E00F63418F01017DF4A7A36BEB668E11D3D0C29F6502D52E7D6F0D1AD3AA5BEB3
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:MSCF............D................'..............H...............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dcsx_42_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 3106151 bytes, 6 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x64.cat", flags 0x4, ID 8980, number 1, extra bytes 20 in head, 173 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):3112111
                                                                  Entropy (8bit):7.999844914933595
                                                                  Encrypted:true
                                                                  SSDEEP:49152:jRrZSmj6bGmA5Aw2nnno2WQeJzT2UiS4C7/RebBFC0+kkIjWStDXan3aUjzSr:j0qAno2WlJzCUiA/IbfH+kwStGn3aUI
                                                                  MD5:A91957A8E5F8A7040690A1C2A6349E65
                                                                  SHA1:42D76E85919B84EF4CB28C9337F796861D7B1345
                                                                  SHA-256:B53BB3ED6F56702672F9F0201F6399B28F8C012AC7F1A604FB13B32A10A40DAB
                                                                  SHA-512:F2424BB69211EDBA17BE741346492CA6D1A6808FD28A13BAAE916EDB62AE99921507CEF89BC923B1C8F9783558663BCBBB837EDA8CD907214EC54BF2CFAFA60D
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:MSCF....ge/.....D................#..........ge/.H...................P.T.......$;....d3dcsx_42.dll.....P.T...$;...d3dcsx_42_x64.cat.......T...$;...d3dcsx_42_x64.inf.....f.T...$;...d3dcsx_42_x64_xp.inf./.....T...$;...AUG2009_d3dcsx_42_x64.inf..(..L.T...$;....infinst.exe....e..[.....@.........)..wD.j*.*"..5...K..P."U+...(...+"!..+.v........;...{.X&...X......D......6.36j..add...6".~.c..K".z/|.[.w.4".......b....XLlhl;.nl....m..X6...L.... .!..........#.F5Pf.d.|..w.++.WCA$.F..ZB.Gm......[...[I.mm.o..|9?'.......a.G.x.l{.N....S..h..i8......f.......E.......A........1.0....g.......2#..S.{E..+.w....k..'\.}.V.q..Y.....P.>................c..P8.........k..Q..Z....@.@..........|V.$^... .w../..f. x...w....?E.."..uL.*.U\..>.p#o...>.y.|...Z.K......6...P.%u.....<c........ t.?m.?..&...qL......|...w.G5?..ON@N>..]A......._B...b7@G..p..'.....@.. >....g.._..8Z........si;`.#.s..v../.......<v....L./..Oy.8g.;.j..9.s.8..O....Ty.....#........qK;H.j..9.\;_.e.qyn..Ot.....@.......<r

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dcsx_42_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):3319740
                                                                  Entropy (8bit):7.99930253185738
                                                                  Encrypted:true
                                                                  SSDEEP:98304:td4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RH8:luD8b2WUZQCg+ny0
                                                                  MD5:D4D7680AEE67FC5AE2BC26FBB228C95A
                                                                  SHA1:7450AD46E2E01A0AAB1C4CCED180B657B5FCFA41
                                                                  SHA-256:A66FD98A1F746698848A4A7EB5AE69DAC8FF2654B56C7DECEBB03CDCA8DC7C85
                                                                  SHA-512:873425E468916F4890B940D3AD90643939FD72B1510C1BD2FD7708A7D40312BF2A96215F54239D02DB32F814EC7687F74AE274032440103BAD2A60D6735BA683
                                                                  Malicious:false
                                                                  Preview:MSCF....t.2.....D...........................t.2.H...................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dx9_42_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 924156 bytes, 6 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x64.cat", flags 0x4, ID 8195, number 1, extra bytes 20 in head, 79 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):930116
                                                                  Entropy (8bit):7.999745316575872
                                                                  Encrypted:true
                                                                  SSDEEP:24576:d3pwYa9fbSzpdh2Yp+iZ1YAqhfeO9yx2Ejb7yzfst:d5wYabSzLhZYw1YAQfvIMA+U
                                                                  MD5:70CC5B4B3C39879D3E9058A33EF94F27
                                                                  SHA1:37940CCC5DC1FD410BBE6667E78AD7CA8FD2E1FB
                                                                  SHA-256:832F6A4415C873ED8ACCA0D5C9E65FE163D9567F0CE29FB3FDA11D7AFD1E11C7
                                                                  SHA-512:B9423E48E2174CE5F1DAA6472138BDC7024F160DBFC49623318EB1AEFB735C5A1593072A95298A0350A95ABDDC1367F6707D34B0882DEC6B8A9AFBDEF99ABB9D
                                                                  Malicious:false
                                                                  Preview:MSCF............D................ ..............H...............O...X.%.......$;....d3dx9_42.dll.....X.%...$;...d3dx9_42_x64.cat.......%...$;...d3dx9_42_x64.inf.....r.%...$;...d3dx9_42_x64_xp.inf.,.....%...$;...AUG2009_d3dx9_42_x64.inf..(..Z.%...$;....infinst.exe...o....[.... )..L.P..%1.f...O..{.]..... ....$!..D;P......tk...t.D...e....6...1.@ff...........^r.~onu..ED....&..VZ.D...2G...nd)$.u..h\.......6..H/...%..."%....1...HL.........T..M....@P..Q........=..w...93..=..CD..Q.. ...%....-..&-.Z.A.s..E..iE>.....*E.$.F....&.g..i..t.o.......@.~$}..x.t.$>.>>..;..$>.z$V...%]....q.fq.uY...6st...b,T.WyY.>...}...*..:.I~v.M..I..z...S...K..........NRgf..."M.d."......B*..........C... .d......8...<.=..i.......g..<..>...Y.P..=.6..3.,..).+.5<?}~a..3.s..V.0....n.......J.'.<.....`.UH......c}.Q.o..?......V..7........>.w.e.=;...n.h.. F.g.e....g...O.....fn .s..._.'E;A........_[.Fb,+..#y.D..h4..p0..B.>.?L.p..i.EB..;...!D..p/.b.....R...2.''...a...o.os..... ..S..'<.ct

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Aug2009_d3dx9_42_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):728456
                                                                  Entropy (8bit):7.999578239602564
                                                                  Encrypted:true
                                                                  SSDEEP:12288:cDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56ky:g02fKYVFvhKLFl9NikiH5V28PXyA6Gky
                                                                  MD5:D6E61DEF8B75A600F46605FC204D8E09
                                                                  SHA1:6F3D87EE3995A768E2E965A0CAF7DE55F07D68E3
                                                                  SHA-256:0ADC71E37869F12B4806321F40C25DAD3D5F8AD372EB35E0BCBAACF60408EB45
                                                                  SHA-512:56987B92B33F876B35BFBAF8CEC458FA4A329377BCAC4FF1ADB746F8A25ED5520494DD603D9443E40C0915C736C9AE9FA8807F668761E7F7482CE8BEB7949AAD
                                                                  Malicious:false
                                                                  Preview:MSCF....@.......D...........................@...H...............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\DSETUP.dll

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):95576
                                                                  Entropy (8bit):6.500628817584274
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Bc8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHy:BftQv1iyODswNLmqxY3AMV71Ev54EAxM
                                                                  MD5:EB701DEF7D0809E8DA765A752AB42BE5
                                                                  SHA1:7897418F0FAE737A3EBE4F7954118D71C6C8B426
                                                                  SHA-256:2A61679EEEDABF7D0D0AC14E5447486575622D6B7CFA56F136C1576FF96DA21F
                                                                  SHA-512:6FF8433C0DADC0E87D18F04289AB6F48624C908ACBDA506708F5E0F3C9522E9316E587E71F568938067BA9F37F96640B793FDFAA580CAEDC3BF9873DC221271F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................4....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):517976
                                                                  Entropy (8bit):5.9440274231307315
                                                                  Encrypted:false
                                                                  SSDEEP:3072:Qi6LKKSPluzye9iHWptICTrbusJxDO9insyH6+PJTOramZap5XVeR4zW1mFD1gbH:8UHWDICTmUxDpEa04+GU
                                                                  MD5:BF3F290275C21BDD3951955C9C3CF32C
                                                                  SHA1:9FD00F3BB8A870112DAE464F555FCD5E7F9200C0
                                                                  SHA-256:8F47D7121EF6532AD9AD9901E44E237F5C30448B752028C58A9D19521414E40D
                                                                  SHA-512:D2C354EE8B6977D01F23C6D2BB4977812BF653EAE25E7A75A7D0A36B588C89FCDBDC2A8087C24D6FF687AFEBD086D4B7D0C92203CE39691B21DAB71EAFD1D249
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Joe Sandbox View:
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  • Filename: , Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..Sf}..f}..f}..A...s}..A...E}..A....}..o._.k}..f}...}....f.g}....g.e}....V.g}....Q.g}..Richf}..................PE..L......M.................b...j.......p....................................... ......t3....@...... ...........................d..........l<..............X............................................4..@...............L............................text....a.......b.................. ..`.data....2...........f..............@....rsrc...l<.......>...z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_D3DCompiler_43_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 938500 bytes, 6 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x64.cat", flags 0x4, ID 11138, number 1, extra bytes 20 in head, 80 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):944460
                                                                  Entropy (8bit):7.999611236422434
                                                                  Encrypted:true
                                                                  SSDEEP:24576:Sww34eXR087AW7psiEut/r/eY5u6FZqLB5:24eCW7pvEut/r/eY5nFZqLj
                                                                  MD5:0109C2931C4442C8192539F1991B6985
                                                                  SHA1:1B3F6CF35DC745EA8748DAE910F704B124E69F73
                                                                  SHA-256:213AD66AB9E469DB1E6A49A646D082BFC3700DB94172984E7E36801612AF50C6
                                                                  SHA-512:C60BF98A0FFFBCF3966D7D8ABBD12F2A7E6E85B1624D67E9C5D5BB686D41B8AD12761E6CD13439D90248D194888897D055D2D5F3FA4FA2DDD7D21F5E7070B147
                                                                  Malicious:false
                                                                  Preview:MSCF.....R......D................+...........R..H...........*...P...h.&........<!]..D3DCompiler_43.dll.....h.&....<B'..D3DCompiler_43_x64.cat.......&....<.&..D3DCompiler_43_x64.inf.......&....<.&..D3DCompiler_43_x64_xp.inf.>...e.&....<.&..JUN2010_D3DCompiler_43_x64.inf..D....&....<a%..infinst.exe.G.......[...6 ..y..`..5..f...O...m.m...v....u.=Z...7..nt....0.t..nY......(..h..4.......f..f...........{....J&.ZV.#N.lJ.G..-2.Z.Iv.*t.e.]od^.sn..qu.....7.....-MD..-...pm.k.t]zI..*j.{.@.X..`P....E77...x...%...X..........U...<....f....w..]..2....m....[-3e.....qL...&ic.6....JDh..R. ....I......$/@_...9.f@.U..Ved..u...V..3.^%=q.... ....<.V.h>...w.f..5.t...YFg.4+CO..-.{|.(h....q...>..@..gX.........g.......Q.......39-g.F.Y.M...xf9......1............g...9G.\...VS.N.9,..h....n....ok....v8..G...G.m."....~.[..0.5.P......Dy......]...#.k.......<.u.A..:...~...G.m}9..b.....T.Y._e.V]35.z.;...1...)I>J...o..".Hq...z............N..sV.]..(.^...."N8......C.p.....m.Y..d.....Y.%(.

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_D3DCompiler_43_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):931471
                                                                  Entropy (8bit):7.998306828478949
                                                                  Encrypted:true
                                                                  SSDEEP:24576:dOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheUB:dtx6RYQiL1DUA7EicSbUJhI0
                                                                  MD5:F7F554AA613ECCF065575B8C69717EF7
                                                                  SHA1:8417886D47C19CF6892F4080DDD5AAA1A49DB3E9
                                                                  SHA-256:417EEBD5B19F45C67C94C2D2BA8B774C0FC6D958B896D7B1AC12CF5A0EA06E0E
                                                                  SHA-512:618F6DBB5BD9D44A8F10D119F5EF644F168FE3D8DB986994E8CCE31D1F11FF9AC872B389D1F218A82FF8B397BFACE587F97CA21E8F77433DBADB2AC475E9E6C1
                                                                  Malicious:false
                                                                  Preview:MSCF....G.......D...............''..........G...H...............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dcsx_43_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 746823 bytes, 6 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x64.cat", flags 0x4, ID 8993, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):752783
                                                                  Entropy (8bit):7.99950571437468
                                                                  Encrypted:true
                                                                  SSDEEP:12288:nDH/lxG7YZg1tkPRZ8m4a8PAWDJRZBIS8vKU+C4+MyPBtStjea7+BjD/Ve4tEua:7RRRKy8LJRZmjysBE8aaBjDFtEua
                                                                  MD5:850AAFDDFEFEA671A2E1BBF1B65F2A8E
                                                                  SHA1:9679E7F294CA9DE945B6F4F3D775D739DC2F8CD1
                                                                  SHA-256:CDBEC7E3A5A0FEF016EB294B036F93C75E45C6EAD8D99397F859A32D23FE20CC
                                                                  SHA-512:D87D8D123700E02CAA6562C9F22A90E86B2D8277B20089AB9D77A885094AEF22BB69D60405B366EBF8CBF74F4B53A17095C3CC93B8BD3766CEF7EB02BC47397B
                                                                  Malicious:false
                                                                  Preview:MSCF....Ge......D...............!#..........Ge..H...............>...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x64.cat......5.....<.&..d3dcsx_43_x64.inf......8.....<.&..d3dcsx_43_x64_xp.inf./...::.....<.&..JUN2010_d3dcsx_43_x64.inf..D..i=.....<a%..infinst.exe....!.i..[.....pk........>.....T.*...D..T..^By.R^T..*.....B..H^.AE.[.j...hf.......c...y..$6.........1U...X....r..g..`X...ofc.+2.o.......a.XF.0{c[..5`~d..a...+.1. .Vc.@.$.{.6....K.s..........@U;...//...0.L...NP.4S.w.kI......2e[.pU.......61.....u...\8..v.......$...../.gg.H..W.!..-....qA...x0.0...~T......{...u....>......{>.x)=\..3..{..qs[..9r....#........o.Y.P.eK..WB~...o_.`n...}.......q_.]..}[.....d.l@.....x...9....uo%.......^H..?..|NF....&\......L..#...]..&...].....q.w..'...Q*i....|U._..{...f........{.7.Z.p...m..F..7........{.'Fb...R.....6i.O.<.FC.............g....ju(....i..q.xV..SC.?...n.Z..f%]...X.*......?..q..n.^o.}u.......cO...\|..]7.1....h...(......Q.x*....K._q.\v~W......sq...+.-.

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dcsx_43_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):762188
                                                                  Entropy (8bit):7.9969495151193515
                                                                  Encrypted:true
                                                                  SSDEEP:12288:u8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2a:jDO19AVrRfEHNZWZrs3+ICyco3MDISTI
                                                                  MD5:44DBA9557F956787B66F285776C3DCCB
                                                                  SHA1:4560C64F8B6BBDEEDD85398F2E18404C389E4D8B
                                                                  SHA-256:E2C5A2CBBA7F211B6CA72FF8E5F69CBA1F83BE06357311B19E64F582FD3D14E4
                                                                  SHA-512:25FBC95346BAC890FEE8D2A0805015AF1EDA5E0BB17B12D4EEF52CA446775D08898FE5C13239E983A0F8C8DD13F8F2A5247A70E8E785E2BAE42FF5AB1CCA4156
                                                                  Malicious:false
                                                                  Preview:MSCF............D...............................H...............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dx9_43_x64.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 931286 bytes, 6 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x64.cat", flags 0x4, ID 8208, number 1, extra bytes 20 in head, 77 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):937246
                                                                  Entropy (8bit):7.999693233942841
                                                                  Encrypted:true
                                                                  SSDEEP:24576:mneqhPULh1ksCctVV+WOwy/vW09rabgcZhBeYCrrPe:1hOJY3+Lwy/vjkgcZaXO
                                                                  MD5:063FA6F7061324EAC1C4DE0350C20E80
                                                                  SHA1:DACCF01B4B7493B88F04F9E50FE37C03846335AD
                                                                  SHA-256:9B98A1269AF7F3A0007BFDC73206A47A6EE158D34BA8A87009396C18186BB06A
                                                                  SHA-512:3AD31100CBCA4DA52E46518E577DCA94B595F9D47A3E9552CD764905FFC2876F9127B69A97BAC44DBD754021E14DDEC65480B7628A3768F03E53DE8FBB08C547
                                                                  Malicious:false
                                                                  Preview:MSCF.....5......D................ ...........5..H...............M...X.$........< ]..d3dx9_43.dll.....X.$....<B'..d3dx9_43_x64.cat......$....<.&..d3dx9_43_x64.inf.......$....<.&..d3dx9_43_x64_xp.inf.,...;.$....<.&..JUN2010_d3dx9_43_x64.inf..D..g.$....<a%..infinst.exe.|.......[.... Ih......%1.f...O..{...CG.U.....DP..+e..R....t...np]....ncl.C7.0.6.fh.....A....!....w.........t$i..zI..V....\U..`.7t.b..7.Nb.;.w...n..0..u..i.7.#ND[1.c.H...4i.$$N...&Vh..J.?...=.."....{@.>...{..{.....].....E..1...".B.D-...+..EjA.,..P4._+Z.M..$N...)x)).8....A..$.o..T.N.M#.R......(......p....!......P...{2mz..........;BI...9...L.<..e...../.GW......utE..].v.Kt<u./..4..}t|y.|....MQ..)g[.I..yr.X....|C.E....~..3'iF...F...(.......g].MZ7~O..k..c.../..#...z....Z.x.'....vM..rCM..=.?+T...,-u....!..3..9.....J..o..O...Z..d.5....P.>...9.....w.l.wC..y..I.....dg.....a.$..M.e..w.O.'I.....{..p...&..t <$VS.....c-,Z.0..i......3.I..c....8..@{..=..w.,@.(.......4..Z.......,.A..l..................

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\Jun2010_d3dx9_43_x86.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                  Category:dropped
                                                                  Size (bytes):768036
                                                                  Entropy (8bit):7.999483017977704
                                                                  Encrypted:true
                                                                  SSDEEP:12288:w0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYu:Z51NVO+XVLs3VztQHmYjBJb931I1NYIZ
                                                                  MD5:7749862C307E527366B6868326DB8198
                                                                  SHA1:BCE9F21CDB1E101C7223C9E62ECA61EC22D6BB81
                                                                  SHA-256:FCC6CF0966B4853D6FA3D32AB299CDE5A9824FEAECB0D4F34EA452FB9FD1C867
                                                                  SHA-512:B65A84535B749ADE0F8EA1A8AB6239DF8E82AD59CBDB07487FDBFCFCF57A565F493F56378E216859A081D23DDF7C671636F53EF821289D66452F09218080F02B
                                                                  Malicious:false
                                                                  Preview:MSCF...........D..............................H...............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\dsetup32.dll

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1566040
                                                                  Entropy (8bit):6.38739478154395
                                                                  Encrypted:false
                                                                  SSDEEP:24576:CIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXi+:CIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXf
                                                                  MD5:D8FA7BB4FE10251A239ED75055DD6F73
                                                                  SHA1:76C4BD2D8F359F7689415EFC15E3743D35673AE8
                                                                  SHA-256:FB0E534F9B0926E518F1C2980640DFD29F14217CDFA37CF3A0C13349127ED9A8
                                                                  SHA-512:73F633179B1340C1C14D0002B72E44CAB1919D0EF174F307E4BFE6DE240B0B6EF233E67A8B0A0CD677556865EE7B88C6DE152045A580AB9FBF1A50D2DB0673B4
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ......\.....@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\DirectX\dxupdate.cab

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):97152
                                                                  Entropy (8bit):7.99414458916803
                                                                  Encrypted:true
                                                                  SSDEEP:1536:JvknxJRHNYzrAzRstaRGk0jzphvXdy57XwwnNb+vnaI1eYpIKxozNlmn6F5x:JvknxJpNYAzRstaRkz0BwwnNbSa+vp58
                                                                  MD5:D495680ABA28CAAFC4C071A6D0FE55AC
                                                                  SHA1:5885ECE90970EB10B6B95D6C52D934674835929E
                                                                  SHA-256:E18A5404B612E88FA8B403C9B33F064C0A89528DB7EF9A79AA116908D0E6AFED
                                                                  SHA-512:A25C647678661473B99462D7433C1D05AF54823D404476E35315C11C93B3F5ECE92C912560AF0D9EFE8F07E36AE68594362D73ABF5D5DE409A3F0A146FE31A10
                                                                  Malicious:false
                                                                  Preview:MSCF....8d......D...............R...........8d..H.............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\AccentBeamShaper.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1304
                                                                  Entropy (8bit):5.093064451532826
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFZr0IFwRvIOZsc94X7FTMgGe9KsUYEjQPSDw5+lmaMLPwRHl:o7ZrNFWIU9eRUF/cYmZLPwRF
                                                                  MD5:D2B854D6F4647306739F381193AA8A6D
                                                                  SHA1:00FBCB715E54A87EAFD676714BE54C06D713DCF9
                                                                  SHA-256:785EC5D6E40F7CCAE2FED8F76A200DCD1C7026631B10960B86FAC574DB2D936A
                                                                  SHA-512:27442565610389962C14866A283097E3B2896555AA9496D557F9C0445331B6A5CA704535AAFAB853AB27445F2F8BD77ADA11716E32DEAA319D2F9E4C86BEE609
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Accent BeamShaper</name>....<ID>782416U0-375F-452A-B83A-ED2ADN2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="24" max="40"></angle> angle range in degrees -->....<power min="100" max="200"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour>

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\AccentBeamSpot.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1298
                                                                  Entropy (8bit):5.097550784801984
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFHlJk0IFwRKI4R8Zsc94XEFTMcGe9KsUYEjQPSDw5+f7aMLPwRHl:o78NFRIt9eIUF/cYZLPwRF
                                                                  MD5:98821691AE531445F71799BF57702153
                                                                  SHA1:EC714442AFB384CCB82C96C66776A000C693481B
                                                                  SHA-256:2DAE9A138A08626B6039BAF9330A4717D80768FCFC7C7091BBAE896215828FD2
                                                                  SHA-512:BC3C81D675C824FE670D02C99B29B13F4D96718FE59C8B9E245F92DD0DE65BA3A3B83FA83F6B1E3D976A87A234CEF291063C6DEC614EEC28F517A36A61465335
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Accent BeamSpot</name>....<ID>84D6B780-8J47-408A-8A93-C459DF7BB71E</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="80" max="80"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="25" max="25"></angle> angle range in degrees -->....<power min="70" max="200"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> d

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\AstralAxial18-34Zoomspot.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.098196921481253
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFOQNN0IFwRvIOZsc94X7FTMEGe9KsUYEjQPSDw5+lmaMLPwRHl:o7nNNFWIU9eJUF/cYmZLPwRF
                                                                  MD5:AFDB5237B353F011CCBF6285A3C1732D
                                                                  SHA1:E647741ACF73B187DB6B9C74CB2A33DACE71F716
                                                                  SHA-256:FF6318167762BDD9B75E49829C78598FC273DD1EFAA2887CC22D8C534669D436
                                                                  SHA-512:1CBD999FD5E46CD3E64CBC2D0791409A0ED5806EA3AD9333FCCFCD746E1966A97568291B734AD7B35EBD7DD281138B90CC946A781AAFFDA0B977A0327497734E
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Astral Axial 18-34 Zoomspot</name>....<ID>7823Y5B0-385F-450A-B83A-ED2ABR2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="18" max="34"></angle> angle range in degrees -->....<power min="100" max="255"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1">

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\AstralAxial22-44Zoomspot.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.100151582843726
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFs0NN0IFwRvIOZsc94X7FTMohGe9KsUYEjQPSDw5+lmaMLPwRHl:o7ZNNFWIU9eFUF/cYmZLPwRF
                                                                  MD5:28E2DBC509D8FFACDC3B7CE7AED1262B
                                                                  SHA1:CE91EF49CD9052FCC6BE25F37EB8E1B96D4806F1
                                                                  SHA-256:81342C09C328999DD6B704E1F06C407A17548005E21090B3792AA07DBD9E8D04
                                                                  SHA-512:136258681764E90543FFEBEC21256927718C27C4D3AAF49F05E54CC07F118631B734AF2161866A750FE6815945741361283219A7251185134E3FEA4B18B8E308
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Astral Axial 24-44 Zoomspot</name>....<ID>7823M5B0-385F-450A-B83A-ED2ABR2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="22" max="44"></angle> angle range in degrees -->....<power min="100" max="255"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1">

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\Aureal_26_50_BeamShaper.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1309
                                                                  Entropy (8bit):5.108461827114299
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNF/5Y0IFwRvIOZsc94X7FTMYGe9KsUYEjQPSDw5+lmaMLPwRHl:o7/ONFWIU9elUF/cYmZLPwRF
                                                                  MD5:D1ED7BA9958E3DBE92B174048334624F
                                                                  SHA1:F0CFA8FD60B2E6451F9889A2CD990AD0499D458F
                                                                  SHA-256:B1EDD3A529201A110E852403F97DC6AE1AD3E6FC60756A46851041F4BD3DD0C2
                                                                  SHA-512:612AD13E4AA896066CA5267F77A2D3E4DFA23E0C2CC019C80F9862270695B3805275B4A2A6856403D2C36AD079514CC15B89F962C1F422920716080A4F5A1242
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Aureal26-50 BeamShaper</name>....<ID>782715J6-475F-454O-C88A-ED2ANJ7836A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="23" max="50"></angle> angle range in degrees -->....<power min="100" max="255"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></col

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\Aureal_FrescoFlood.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1306
                                                                  Entropy (8bit):5.100481230135956
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNF+92f0IFwRvIOZsc94X7FTM6Ge9KsUYEjQPSDw5+lmaMLPwRHl:o7dfNFWIU9eHUF/cYmZLPwRF
                                                                  MD5:9D7F2D3135D4DC06A10AC218356C60AF
                                                                  SHA1:8CFB2EEB3066056EF6C75129DAB02469D262CE82
                                                                  SHA-256:B19018D6CEA6174690116805595E60D2EB0EAAFDD4CA887D3DD25004E5D62E9D
                                                                  SHA-512:6E11BD399118E6E9BA5952F0C920675B8934EB8728A7E5DFFB160A6F97211F46F21CEA713D931E1BAC95B2432EEC4C73EB48C3A7E716E15DC7BD66D166BC7BF7
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Aureal Fresco Flood</name>....<ID>787715J6-475H-454O-C88A-ED2ADJ7833T5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="23" max="60"></angle> angle range in degrees -->....<power min="255" max="255"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\FrescoLEDWallWasher.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1301
                                                                  Entropy (8bit):5.104601255402653
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFtFf0IFwRKAZsc94XEFTMNGerKsUYEjQPSDw5ZlmaMLPwRHl:o7tJNFRe9ebUF/c/mZLPwRF
                                                                  MD5:A43A0DC00C5597366D2F10BDCEFEA6BB
                                                                  SHA1:3968B42861BE0127921F64EFC0BCD6B6FACEBD75
                                                                  SHA-256:65E1B855AEDF5BA7310D00F4F9E364C2990320DD17D1EE8A677332399917C8F9
                                                                  SHA-512:D7297BAFF756A36F12053AFB7643101EDED7B92CA3B8D6EA9F6B9F318AE5A37143FE47A7B2386A257DEBC870929C47AE864F7378CA6F666E3A92AC0DFEF2BC0A
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Fresco LED Wall Washer</name>....<ID>84HL9A84-F92C-414F-984A-2013UTC1KE4B</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>floodlight</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="80" max="80"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="80" max="80"></angle> angle range in degrees -->....<power min="300" max="700"></power> light wattage, this is power per light if it is a striplight-->....<shape>2</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> <!-

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\LEDWallWasher.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1306
                                                                  Entropy (8bit):5.101066487554633
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFT30J0IFwRvIOZsc94Xe0VXFTM6dGerKsUYEjQPSDw5+f7aMLPwRHl:o7buNFWIU9eeoUF/cYZLPwRF
                                                                  MD5:11FB1DB09DD280BD6550A48291508D62
                                                                  SHA1:BF28678EF9CFA5DCE4E0C755872B670E985F2C35
                                                                  SHA-256:2BEBDC9C71BFD451DC17972D3EDEBD76BF0DAB3073F3CB745504C130E8EF97AE
                                                                  SHA-512:B4FE742E47C4537B17E884B31A48961C266059D4C7674156EDB9BD19790E705A3DCBDFD5C5168DAFBB0BAEA8318511111CDFBB3FA83A88E9A1FD77AB331FBABF
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>LED Wall Washer</name>....<ID>782453U0-385F-453A-B83B-EK2ADA2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="50" max="50...."></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="80" max="80"></angle> angle range in degrees -->....<power min="200" max="500"></power> light wattage, this is power per light if it is a striplight-->....<shape>2</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\PL1LEDLuminaire.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1304
                                                                  Entropy (8bit):5.106616659411485
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFuoM0IFwRvIOZsc94X7FTMSMGe9KsUYEjQPSDw5+lmaMLPwRHl:o7vMNFWIU9eVsUF/cYmZLPwRF
                                                                  MD5:461CD3F22045EF98697876A0789F37CB
                                                                  SHA1:4A368EB0F36B36E4FBD95622DB116510DA9B37E6
                                                                  SHA-256:99EE05A19F79550B1DBB41FEDCF42A95AC4079F6437ABB2D0DCE7B241651F14B
                                                                  SHA-512:0E884F5470D7A033F344CAC7BC337A59AFF98D75F7B1A5F46FB72CACD92EC8092186132306831A3A50241F686B1B8C988FDEF6ED3C1CCFC550B12823F93CA6FE
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>PL1 LED Luminaire</name>....<ID>782715U3-375F-454D-B84Z-ED2VDH2830G5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="14" max="50"></angle> angle range in degrees -->....<power min="150" max="150"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour>

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\PL1_20_50_Beam.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1309
                                                                  Entropy (8bit):5.101436874762516
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFhc8C0IFwRvIOZsc94XeXFTMcGe9KsUYEjQPSDw5+lmaMLPwRHl:o7ODNFWIU9eMUF/cYmZLPwRF
                                                                  MD5:B69E54B676D73A1C7AE7F623BE0B9B48
                                                                  SHA1:AA5F1523079329B8E2099B32BA40339E3E56C75B
                                                                  SHA-256:0CE16133349DD17FCAF37DF3A6ED426A24031FE99628A3C4048E32CBC9EAF58F
                                                                  SHA-512:F31AA6DB5D40027415724C453A46753FD5CB8EBBEE72EEA23B2EA27FCCF9B6B213F0BB0285A8FF5C1A57BBA893E5E9D07B3A5A38B21442E77C5296BCCE39119F
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Luminaire 20 - 50 Spot</name>....<ID>782342R2-376D-443G-B83A-ED3XXR2860A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="15" max="15"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="20" max="50"></angle> angle range in degrees -->....<power min="120" max="500"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></col

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\PL3_NarrowBeam.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1313
                                                                  Entropy (8bit):5.098437712794693
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFh00IFwRvIOZsc94Xn6FTManBGe9KsUYEjQPSDw5+lmaMLPwRHl:o7GNFWIU9eon5UF/cYmZLPwRF
                                                                  MD5:028CC7688607953DF7621E6896062739
                                                                  SHA1:AB24745F46853DD2AF764DB271BE00AEC43C8875
                                                                  SHA-256:6A3D266AB3174644D18756D4085D91E4F02729C6EA5F99CC618F069EBDA9C9FA
                                                                  SHA-512:72252AFF433E0632ADDFD8E2487ED10880BC1F67B8AD918C95F4C7CBB508A2B05E16986F626B4AC936AA3A035C0680BC8AA030F4D0D567FDA7D901BCED856683
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Luminaire Narrow Beam Spot</name>....<ID>782342B1-375D-453A-B83A-ED2XXR2860A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="10" max="10"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="12" max="12"></angle> angle range in degrees -->....<power min="150" max="300"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"><

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\PL3_WideBeamLED.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1311
                                                                  Entropy (8bit):5.103061718951463
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFh7f0IFwRvIOZsc94XeXFTM2nBGe9KsUYEjQPSDw5+lmaMLPwRHl:o7xNFWIU9emn5UF/cYmZLPwRF
                                                                  MD5:A13C4A896068CE5BEA1D12A4B80DC714
                                                                  SHA1:543B46E338C2C5CF276FFF2FCDEA7DB1200823FF
                                                                  SHA-256:A893A9E700E5AA9696508B8E3C9638EB861E916B856103B09F249946506774F4
                                                                  SHA-512:D9B2A984E2B7EE4F9961325A9FE6546CCED62418E9A1FBB8E0770B38E23A3945E9CACAB2CF8BF02684AE38465F1FAD85903ECF45A9D7258B6DD874FC720D7704
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Luminaire Wide Beam Spot</name>....<ID>782372B1-378D-453A-B83A-ED2XVR1860A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="15" max="15"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="25" max="25"></angle> angle range in degrees -->....<power min="150" max="300"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></c

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconDisplayLEDProfile.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.107414558258862
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFtLhJ1+FdN0IFwRvIOZsc94X7FTM+BGe9KsUYEjQPSDw5+lmaMLPwRHl:o7tBeNFWIU9ejUF/cYmZLPwRF
                                                                  MD5:243CFBFDDF3CDDD1B2ACA7171B774A69
                                                                  SHA1:D2F16C2088D0CF2BA06386CD7A19099FED98949F
                                                                  SHA-256:120BFBFDA83F043C710F31B4875DE0A6A04715ED85C346C5E7225EE493E50911
                                                                  SHA-512:021341B84D8D44F94CF7BDF21149220A58FB646233BF179A9E954BF633EBF574B226BA681086CE75AB7A84CAE1EADD5A650330C9D07C0F769ED2416B2BE02C5D
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selecon Display LED Profile</name>....<ID>7823Y2G0-385F-450Y-B83A-ED2AZR2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="16" max="55"></angle> angle range in degrees -->....<power min="160" max="160"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1">

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconDisplayProfile_15_35.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1315
                                                                  Entropy (8bit):5.100348815432288
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNF+J1BJOJau0IFwRvIOZsc94Xn6FTMoWBGe9KsUYEjQPSDw5+lmaMLPwRHl:o7goauNFWIU9e+W5UF/cYmZLPwRF
                                                                  MD5:89DF464DDBA9F41F3674A125061FB459
                                                                  SHA1:23D4CD00BB6F37C1C302332E991582173B291D60
                                                                  SHA-256:1EAC1CDE0968AB039F8F8CA3122EA85D3BAFC9AF38B3B53ADF3C2D73D830A6E0
                                                                  SHA-512:6AB323AD6B51F52D5F0986DE5067E80AAE0055E5A9116245D497567D711132E617741BB6809460624184F5F548917CC3EC2D556DA327E729BD5DD37E28205F11
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selcon Display Profile 15-35</name>....<ID>7823Y2B0-345F-450A-B83A-ED2ZBR2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="10" max="10"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="15" max="35"></angle> angle range in degrees -->....<power min="100" max="300"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconDisplayProfile_25_50.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1315
                                                                  Entropy (8bit):5.101044130204823
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNF+J15Ju0IFwRvIOZsc94XoFTMvGe9KsUYEjQPSDw5+lmaMLPwRHl:o7g/uNFWIU9ezUF/cYmZLPwRF
                                                                  MD5:18448A5D268E70A58FB025C80FCFA276
                                                                  SHA1:901CCE817EFB865706C73F38EC3FAA024FA68C37
                                                                  SHA-256:DD4000584DCEC87731E70849A1E8F8B68CEBA670B4A98FEC6C818EDB5F6B0CED
                                                                  SHA-512:57D9D302A0141AB85B31ACACA43494BFCF2D78EB212019B20C4FAA5609FD44292A76699749C6CAF28E10D4920D14B886E1F40E0AF440573CAD15618D2AC6E448
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selcon Display Profile 25-50</name>....<ID>7823O2B1-345D-453A-B83A-ED2ZBR2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="20" max="20"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="25" max="50"></angle> angle range in degrees -->....<power min="100" max="250"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconWingCDM.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1295
                                                                  Entropy (8bit):5.107168042868034
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFtLf0IFwRKAZsc94X6FTM6BBGerKsUYEjQPSDw5ZlmaMLPwRHl:o7trNFRe9eyrUF/c/mZLPwRF
                                                                  MD5:5CE2F3B01B17A3E818EFF26E3CB7F6F1
                                                                  SHA1:35A2C4B4F724EB24EA51D7E11A8EA26B0E8A662D
                                                                  SHA-256:73C8964748B8FB83AB883CF338D0ACBD1C49909DA10FE3FCBFA8D27987A45851
                                                                  SHA-512:9737A90EAE0917A9E3B88C31D0FB49329F1B0A354EB6A33B79934946DD37294CB466C064DE356068CD65EFB63DE9CBC617386E01BCC7CCD9D4A66A85ACC8106F
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selecon Wing CDM</name>....<ID>84FB3O87-F02C-614B-984A-2017EYC1DE3B</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>floodlight</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="90" max="90"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="80" max="80"></angle> angle range in degrees -->....<power min="200" max="520"></power> light wattage, this is power per light if it is a striplight-->....<shape>2</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> defa

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconWingLinear.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1299
                                                                  Entropy (8bit):5.101104592078305
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFtLF0IFwRKAZsc94XEFTM5PGGerKsUYEjQPSDw5ZlmaMLPwRHl:o7t5NFRe9eFPUUF/c/mZLPwRF
                                                                  MD5:8F1303A4E827FB978573C03F05003824
                                                                  SHA1:D7EC4126266BE1D50D72CFB2FF2EFF7375471857
                                                                  SHA-256:AD4358D256F9B76E9C643D1F6BC0F2B141149FE1AA2053AE88C7B268D5AFE3D4
                                                                  SHA-512:02215B528FF10AC75667DE316CAEBAD95B13FF580B8F43DAAEEF8D1B3086BBC764F70A3CC257B1BC26DB843FAA611B91A5792EEB8068D9905E032F32E991B4FF
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selecon Wing Linear</name>....<ID>84UB8A87-F02C-414F-984A-2013SAC6DE3B</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>floodlight</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="80" max="80"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="70" max="130"></angle> angle range in degrees -->....<power min="150" max="350"></power> light wattage, this is power per light if it is a striplight-->....<shape>2</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour>

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\SeleconWingTuneable.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1311
                                                                  Entropy (8bit):5.116090219784475
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFtLae0IFwRKAZsc94XQFTMUGerKsUYEjQPSDw5Zf7aMLPwRHl:o7thNFRe9eCUF/c1ZLPwRF
                                                                  MD5:6A4DE77DCA0312C8B7423D5D8582496D
                                                                  SHA1:ABB43F1D33169E66746A4D29D748E701182DAE10
                                                                  SHA-256:95ED0CF3FCBA9143FC97357DFA46EB999663A93BF44EE194BCB2A65594744BCF
                                                                  SHA-512:C93475912C7110D21A4EA87B1AAA27CB80AF8952B70AAAC7AE22F68134A4B171C5081F5DAF358A596DFBBE852A109CC93E0B5FB52D29F248D32BB90CDFE7E70B
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Selecon LED Tuneable Wall Washer</name>....<ID>84UB8A87-G72J-415F-984A-3013SAC6DE3B</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>floodlight</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="60" max="60"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="80" max="80"></angle> angle range in degrees -->....<power min="260" max="500"></power> light wattage, this is power per light if it is a striplight-->....<shape>2</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></c

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\ellipsoidalFixedFL.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1306
                                                                  Entropy (8bit):5.081412824088448
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFK31qhlTr0IFwRKI4R8Zsc94X6UBFjgGe9KsUYEjQPSDw5+lmaMLPwRHl:o7I1q/TrNFRIt9e6zUF/cYmZLPwRF
                                                                  MD5:9D70EDBDCF3BBA0020FB895718EDA5BF
                                                                  SHA1:7DB25E5DDC03B109647D54D8EAF9E974DE98932B
                                                                  SHA-256:97A406A9311F58366DE2B7055285B39E1246CFF9ED947325E421460DA3FC5D36
                                                                  SHA-512:4B0375CB917FD82C231E7B192473352F9999E8F011939AEBE77D753213E7BE05E216242528F9FB76BCF7BC4F25A329B72618FBC80787BFDE31C53EB4E81002EE
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Ellipsoidal Fixed Focal length</name>....<ID>F1E2C31E-4485-4F4D-995B-4766306D9ED6</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="95" max="95"></focus>. focus range, 0 = max blur, 100 = hard edge -->....<angle min="5" max="50"></angle> angle range in degrees -->....<power min="500" max="2000"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\ellipsoidalZoom.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1303
                                                                  Entropy (8bit):5.0843047052230546
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFEN0IFwRvIOZsc94X7FTM/Ge9KsUYEjQPSDw5+lmaMLPwRHl:o7ENNFWIU9eIUF/cYmZLPwRF
                                                                  MD5:B563034507DDC32865E94B79B2ABCEF2
                                                                  SHA1:FF6E33DB68C873F18120E7D15310E691AF350AFB
                                                                  SHA-256:CA4AD9839794BB73AE54F580653E8BB3DE6F5A8F8B7AAC37DCB447C163BA9383
                                                                  SHA-512:437BFFC2CAB85216B617ADBB4359150524B2E5816E044F74E6183AF9E704A0B044F8E2F0F569AEEB581563E7DFC394B4A723ED3E9A37F9D487F7AC43A8CCF62B
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Ellpsoidal Zoom</name>....<ID>782315B0-375F-450A-B83A-ED2ABF2830A5</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>ellipsoidalzoomspot</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="0" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="15" max="50"></angle> angle range in degrees -->....<power min="500" max="2000"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> <

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\fresnel.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1283
                                                                  Entropy (8bit):5.084874118213131
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFTRxF0IFwRvP/3Zsc94XCFTMQGe9KsUYEjQPSDw5Zf7aMLPwRHl:o7LFNFWF9eiUF/c1ZLPwRF
                                                                  MD5:099FE5C431126B7E4B9016EFDA246994
                                                                  SHA1:E2E88FDB2BB31975764CBED9DC3393B2E79F39F0
                                                                  SHA-256:0C0F947D07F723F7E9EFF58057CBFF18BCD04441A000DF3F3AD5F446C4C98FCA
                                                                  SHA-512:911ADC258AFBB54F1969D3B649846A2C170D0DE4F15729BCF72D90184570C61A7AA21F7E195CF94A53580C2BBF0F1337A1B23185F9234815470C30C211075002
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Fresnel</name>....<ID>77EF631F-CE48-4782-86C1-DB282AD2CB46</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....fresnel....par64....par36....floodlight....-->.....<basetype>fresnel</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="800" max="80"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="15" max="70"></angle> angle range in degrees -->....<power min="100" max="500"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>1</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> default colour,

                                                                  C:\Program Files (x86)\Ortelia Curator\Lights\scoop.xml

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1283
                                                                  Entropy (8bit):5.099688935256932
                                                                  Encrypted:false
                                                                  SSDEEP:24:oNFWE0IFwRKgZsc94X+FTM59Ge9KsUhEjQPSDw5ZlmaMLPwRHl:o7WENFR+9eL1Ui/c/mZLPwRF
                                                                  MD5:DE2CB56B01AB67E71BA3ACCDD1710705
                                                                  SHA1:F61A03DD543C89DACDD707D4EACAE31A557AF838
                                                                  SHA-256:0D267C4AB81C1015D73AACD0699CD9341812BFC881E56F5F5DDF98E1B7261A9E
                                                                  SHA-512:B9BB28C0AC23608F157846C208486A2FB6200DE7C16DDA28A317B2DD958CE3D7DBEB9E36A0A1993FFB2216116D4971A72FC0AF9F66A16914990759FC41EC4715
                                                                  Malicious:false
                                                                  Preview: Ortelia Interactive Light Configuration File -->....<light>...<base>....<name>Scoop</name>....<ID>88C5BEAE-BAE1-4FEE-96CD-81E86A8FE59C</ID> unique identification ID -->........ basetypes: ....planoconvex....ellipsoidalspot....ellipsoidalzoomspot....freesnel....par64....par36....floodlight....-->.....<basetype>par36</basetype> see above -this is the visual model the light will use -->....<modelscale x="1" y="1" z="1"></modelscale> model scale -->...</base>...<settings>....<focus min="100" max="100"></focus>. focus range, 0 = hard edge, 100+ = super soft edge -->....<angle min="70" max="130"></angle> angle range in degrees -->....<power min="500" max="2000"></power> light wattage, this is power per light if it is a striplight-->....<shape>0</shape> 0= circle, 1= oval, 2= square -->....<gobo>0</gobo> gobo allowed? -->....<changecolour>1</changecolour> colour gel allowed? -->....<colour r="1" g="1" b="1"></colour> default colour,

                                                                  C:\Program Files (x86)\Ortelia Curator\Ortelia Curator.url

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<http://www.ortelia.com>), ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):48
                                                                  Entropy (8bit):4.4876492827408
                                                                  Encrypted:false
                                                                  SSDEEP:3:HRAbABGQYm/0S4xXn:HRYFVm/r4xX
                                                                  MD5:3D2DFF52D2A19866A739AE574C563FB9
                                                                  SHA1:62DEF033939EC08AD00D826957C14DA5F54BA05F
                                                                  SHA-256:B67523EF7394EAF1BDDB27F6C3C7BF3AF9FDA9E028C4E2E77ABECF7662C30F40
                                                                  SHA-512:7B07E1A9F87845659A198A7B8D5D09ECFD8ABDD81CEB52438A1CE631A7CBFD9F69C295A06AF2A1D40EEF9CC07E559ADF910B0825CBAE082E5E2A61E0078CC27F
                                                                  Malicious:false
                                                                  Preview:[InternetShortcut]..URL=http://www.ortelia.com..

                                                                  C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):44867363
                                                                  Entropy (8bit):7.999891195631607
                                                                  Encrypted:true
                                                                  SSDEEP:786432:jwlAIGBQds8jBn7Q4BJEBQ75dHQT4kkt0f1kWPfXZWM/oP2JnY3jp8b7:jwmNBGBn7hDEy75VQTD8WEMQPgY32b7
                                                                  MD5:A920B45A4CB4B98E152C745B714A2AD8
                                                                  SHA1:C969F3E5AF8C66DA0C90A7CBA1A1D4050B9AC177
                                                                  SHA-256:E422453A0E0C6C60565BC4229E7247B98EDFEA0BFA120CFB8C94EA730332AC54
                                                                  SHA-512:F6B673FA4F78771D96AF4D1844623E28178A185B33AF78E6C3BE9BC0112B3CD8162A454EB173B86E37AC615C15AC9FA8D1329426F2ED72196B858ACD55D9A15C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$@..J...J...J..G7...J..G'...J.N.....J.N.....J...K...J.......J..G$...J..G6...J..G2...J.Rich..J.................PE..L...~d.J..........#...............................@..........................P..............................................8...x....0..................................................................@............................................text.............................. ..`.rdata..XG.......P..................@..@.data....9....... ..................@....rsrc........0... ..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\OrteliaCuratorHelp.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PDF document, version 1.5, 86 pages
                                                                  Category:dropped
                                                                  Size (bytes):7607775
                                                                  Entropy (8bit):7.866115770357195
                                                                  Encrypted:false
                                                                  SSDEEP:196608:fyDUSMOuwVljXJg6w9LmxEq0piJ7savb+S78q1Jbl:f5SMOuwVd+fmxEqsiJ1vS+L
                                                                  MD5:5FB6FA0A2CFDB669EE0173EDC363A0C7
                                                                  SHA1:3C1C08F9B1A2E08C3DD60B48925C1F748D183A16
                                                                  SHA-256:18F026CB2D3189660AB55AF9165B354D7CC601A3599C4738A8048B165F71897B
                                                                  SHA-512:FD30639CE76A6DB19066E489EA179126BFADEAF311CDB5107C21CFC48376E479CB9E942E1536E3F0CD12D837D937E8133518D54A18AB7B8902381695B755D14E
                                                                  Malicious:false
                                                                  Preview:%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 872 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 86/Kids[ 3 0 R 14 0 R 17 0 R 18 0 R 19 0 R 20 0 R 22 0 R 29 0 R 37 0 R 38 0 R 40 0 R 41 0 R 43 0 R 45 0 R 48 0 R 49 0 R 50 0 R 51 0 R 52 0 R 53 0 R 54 0 R 56 0 R 60 0 R 61 0 R 64 0 R 66 0 R 68 0 R 71 0 R 73 0 R 76 0 R 80 0 R 82 0 R 83 0 R 89 0 R 92 0 R 94 0 R 96 0 R 98 0 R 100 0 R 103 0 R 104 0 R 107 0 R 108 0 R 109 0 R 113 0 R 114 0 R 115 0 R 116 0 R 120 0 R 122 0 R 124 0 R 126 0 R 128 0 R 129 0 R 132 0 R 133 0 R 135 0 R 136 0 R 140 0 R 142 0 R 146 0 R 151 0 R 152 0 R 154 0 R 157 0 R 162 0 R 165 0 R 167 0 R 169 0 R 170 0 R 172 0 R 178 0 R 180 0 R 182 0 R 184 0 R 185 0 R 187 0 R 189 0 R 191 0 R 192 0 R 194 0 R 195 0 R 196 0 R 198 0 R 200 0 R 204 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 9 0 R/F3 11 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image13 13 0 R>>/ProcSet[/PDF/Text/ImageB/Imag

                                                                  C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):25056388
                                                                  Entropy (8bit):7.999671266179167
                                                                  Encrypted:true
                                                                  SSDEEP:393216:JXayUPQyHxeLPDKBsEAE+awzMfZIT6m34cG0O0GGlYo6MXNJNsc1QGJv8h/k:JXanterDPwwYS+XN0OoNXNJ1eM
                                                                  MD5:4F15AA69B39005A59BFC754A2E2252AE
                                                                  SHA1:73B23C08177BC1BFDE4CA9FCDEC16C387A8CD9FE
                                                                  SHA-256:BB59961609EB5E4724DDFF1911B5BF91B14ED46BCDF976297B2DDB6019AEC78A
                                                                  SHA-512:D570D8F444CEE6DB4F6B56F4C2256C44E85415929EADAAE4DA5D7A7FED7C39DC5E9D3D5258710A9E6801A75F0F74B04DD778F2C60EFC1A10221D5C5D3B79B41B
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$@..J...J...J..G7...J..G'...J.N.....J.N.....J...K...J.......J..G$...J..G6...J..G2...J.Rich..J.................PE..L...~d.J..........#...............................@..........................P..............................................8...x....0..................................................................@............................................text.............................. ..`.rdata..XG.......P..................@..@.data....9....... ..................@....rsrc........0... ..................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\OrteliaSpaceHelp.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PDF document, version 1.5, 26 pages
                                                                  Category:dropped
                                                                  Size (bytes):2857267
                                                                  Entropy (8bit):7.853982261065292
                                                                  Encrypted:false
                                                                  SSDEEP:49152:csGSi4kSL+5tRMa6f2GOxnzeSLIdsPkoqjrAqo02/tdidjHk4pQQuVuLBkbpY:XTiHB5N6fNONzedeP0rBh2lUdRmQuVYP
                                                                  MD5:5F74F8885A475DEFC8FF80B39F2F6DE0
                                                                  SHA1:F488925E94E6B9E01C23A057543B27BD8D5EC656
                                                                  SHA-256:559E032DDF89194E6B41D5D8879F081058454F5F57528CE560614AF1E05C3E6F
                                                                  SHA-512:7F6855FEBB72C476AE05CA447ED9E551337571DBB78580120CD4110627B90E7809D67F4181DDC784A769B153523751F1F94E79AE344A0E4BD10DF8D90D641FBE
                                                                  Malicious:false
                                                                  Preview:%PDF-1.5..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 257 0 R/MarkInfo<</Marked true>>>>..endobj..2 0 obj..<</Type/Pages/Count 26/Kids[ 3 0 R 14 0 R 19 0 R 21 0 R 28 0 R 31 0 R 33 0 R 35 0 R 36 0 R 38 0 R 44 0 R 46 0 R 48 0 R 50 0 R 51 0 R 53 0 R 55 0 R 57 0 R 58 0 R 60 0 R 61 0 R 62 0 R 64 0 R 65 0 R 67 0 R 70 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R/F2 9 0 R/F3 11 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image13 13 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 449>>..stream..x...]k.0.......R..XGG.....+..[i....L.e.|tn...x..$eU'.....G.Hz..g8;k.....s.M..,$...H.....(.....e1..E.@9..f?..8..$-*.60...*...q.x.s.bh.}.,..O}U+..wm...o0.P..q.../....C.A./{s..;.=.-.w}>Q6..{N4...X..9.....6b....SY......N..n.A._..#..|l....~w[%.( .46q.......d.N..(.I...!.@.

                                                                  C:\Program Files (x86)\Ortelia Curator\spaces\Default.ort

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):17206854
                                                                  Entropy (8bit):6.037672095032195
                                                                  Encrypted:false
                                                                  SSDEEP:98304:f+yOwFoYnR/yh5cp2roHP4kc135wHYrAa91:f+y39R/yNrAArrAm
                                                                  MD5:E0E097D649648041A757B55BAD5A0A92
                                                                  SHA1:0D219B3813B8EBFC654DEFCFF5956F4932BF5F49
                                                                  SHA-256:7B8237985DD92E8C8B557D7983E936BA737F4E98471A346C80932B648E3F66EC
                                                                  SHA-512:8CEA3BED815132F282F3E6BCC2A807C7A7CAFE0F7502C1ACD7A1DABD046A722516A0F327808ACBE266C07AAC29ED298682BEF2A02FF34415D6CF68F81E2D9A45
                                                                  Malicious:false
                                                                  Preview:QVRS....?...A3DGCGGG....J1.n...F.^l.>%;.CGRE.....CGUC........CHCT....(.~B..D.B5e..a.CHSS........CHIT........CHNA....InterfaceCreation.CHIT........CHLC........INID.....P..P..L.v....ICIC........ICITINID........&:gI..a.{...INPI.....ININP...iGetMainEnv.:.\.w.o.r.k.\.Q.u.e.s.t.\.J.u.l.y._.1.2._.O.r.t.e.l.i.a._.C.u.r.a.t.INIC........INITIIPM.....IIIT........IIET........IICT........IIINO...getMainEnv.....................................................................IIISIIOM.....IIIT....9..9...H.b.g~..+IIOM.....IIIT....9..9...H.b.g~..+IIPCc...mainEnv.gned.......g........`Z{ .......g....\>fe...$\>fe.............0.$................p.>.......>IIPNc...ClassInstance->cMainContent............g...............................g...g...g...g...g...$@...$..IIPC........INITIIPM.....IIIT........IIET........IICT........IIINO...getCustomRender................................................................IIISIIOM.....IIIT.....P#.=..L...`...IIOM.....IIIT.....P#.=..L...`...IIPCc...mainEnv.gned.......g..

                                                                  C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1810432
                                                                  Entropy (8bit):7.938846813040323
                                                                  Encrypted:false
                                                                  SSDEEP:24576:nh/zxe3rsHxk53EkyUq+1cBXyxUcpeqq1ocMkkRns3LEN8l4XZOB:h/zxagHe3VyTnXy3EqbFkkts31GZK
                                                                  MD5:0F979E7E706E1BDD0BECB0766B386C57
                                                                  SHA1:0E4FC21C59DA666D7E5160A6FCAE2CD8877F3B2F
                                                                  SHA-256:6C6EFB1D4800FE0DEA59B38E9AFE9D9FCB44C0628DCA9294C757C2C92E4C4E26
                                                                  SHA-512:EF7169EBA0616DCE33EBBDCCBD4366FAFC94A7AF09AF32D57535766A5700F0FC7A94008AEA6430EDB4024849B26D1D7A508961444346482A98266482A4ECC60E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Virustotal, Detection: 15%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........#.................pC............@..........................P...............................................@..H.... ...............................................................................................................text...:........h..................@....rdata..| ...........l..............@....data....%...........t..............@....rsrc........ ... ...z..............@................@......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Program Files (x86)\Ortelia Curator\uninst.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Category:dropped
                                                                  Size (bytes):53319
                                                                  Entropy (8bit):6.446130962408847
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ipgpHzb9dZVX9fHMvG0D3XJNgc+LeAyN/IIw:ggXdZt9P6D3XJNkeAN5
                                                                  MD5:87D80DBAEA0B7539F7762B9DF0DDEAD7
                                                                  SHA1:A3A7185357C4D030015D3372393D06AF7A6D2106
                                                                  SHA-256:09B4ECC7E3412DD4375DB27128EB1EE9F80C1B1BA4229E848250729EF9B1DFE4
                                                                  SHA-512:1D08D062DF800424C48CA7620DFD1964A62FD6AF071052DC29F29A20B051E0EBF17F44B24E36C568BE9CA13D28C7A237A96B6D11EC8CFABC12F2E91EBF5944A9
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........XH...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...XH.......J...z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Curator Help.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Nov 5 01:21:30 2015, mtime=Fri May 10 02:10:44 2024, atime=Thu Nov 5 01:21:30 2015, length=7607775, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1197
                                                                  Entropy (8bit):4.626806840932042
                                                                  Encrypted:false
                                                                  SSDEEP:24:8mTI2yEVdOEipoDP3mAycqBgdZ9nU4dZ9BUUlnqyFm:8mTI2lVdOBOP3dljdZ9nhdZ9a/yF
                                                                  MD5:D148BFF85DFA8C2BF142C7F4422BBA22
                                                                  SHA1:1BEBD9A06BC03BE194371F0828F20FFC774A710D
                                                                  SHA-256:8663768F9A175B7A0C6A07C908689E4F2E50E4971BD5D114710A701671823EEE
                                                                  SHA-512:F49BA000E28211B5815B0EB7619CCF4667BA0EFA0436304BAF3856AB139696C84C38F8F9C1021CEF677039205499961D3B467D9A8F55FBD5B96DB8C3474C3535
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....c.p...@........c.p.....t..........................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....z.2...t.eG.. .ORTELI~1.PDF..^......eG...XW.....{.........................O.r.t.e.l.i.a.C.u.r.a.t.o.r.H.e.l.p...p.d.f.......l...............-.......k...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaCuratorHelp.pdf..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.C.u.r.a.t.o.r.H.e.l.p...p.d.f.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Deactivate Licence.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Mon Aug 12 03:01:52 2013, mtime=Fri May 10 02:10:45 2024, atime=Mon Aug 12 03:01:52 2013, length=1810432, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1291
                                                                  Entropy (8bit):4.5896142410282765
                                                                  Encrypted:false
                                                                  SSDEEP:24:8+TM/yEVdOEipoDl58ZBQQAbqBybdZ9lhPdZ94UUlb2yqyFm:8+TM/lVdOBOliB+beadZ9lJdZ9Nu2vyF
                                                                  MD5:D177FF4E1DB42C94ED00D083DF9637EF
                                                                  SHA1:668F7F6071BEBCE4B22B40E9D24FD1A5B47B951A
                                                                  SHA-256:9115EAD5789621225B56316542288F978742422AF3131B413D7D1F68A32BA9BC
                                                                  SHA-512:1D5E60D3B0C16C118E716373ADD2C109AD7C61DDA5BC888F9E803964B56299DA6298A0C5947295B4020CEBC5E4F08405BAE8F51BBC3A7531349CCBB1CE774650
                                                                  Malicious:false
                                                                  Preview:L..................F.... ............D3..........................................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....P.1......XU...tools.<......XU..XU............................8 .t.o.o.l.s.....j.2......C: .DEACTI~1.EXE..N.......C: .XW...............................d.e.a.c.t.i.v.a.t.e...e.x.e.......j...............-.......i...........v.;.....C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe..J.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.t.o.o.l.s.\.d.e.a.c.t.i.v.a.t.e...e.x.e.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.t.o.o.l.s.../.D.E.A.C.T.I.V.A.T.E.........*................@Z|...K.J.........`.......X.......172

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Ortelia Curator.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 29 01:56:30 2015, mtime=Fri May 10 02:10:42 2024, atime=Thu Oct 29 01:56:30 2015, length=44867363, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1177
                                                                  Entropy (8bit):4.615811726450849
                                                                  Encrypted:false
                                                                  SSDEEP:24:8mk2QMbH9/yEVdOEipoDlEWtHABqBxdZ9n94dZ9BUUl4/oqyFm:8mjQs9/lVdOBOlztgBmdZ9n6dZ9afyF
                                                                  MD5:7EEFE6E07B7AD783A742D10972DAEAAF
                                                                  SHA1:5A8B9E494030941965FD9330E7E4B29F49261D5A
                                                                  SHA-256:75C4559B00280C4EB1096ECCAF327412202148306DF781B9B7A582D59342CF27
                                                                  SHA-512:C604EA40025368EA7B1DCD25082827E892E5ED3E5DDB9FFB7BE8DE201F728CAEC208CF4C7E9CA53B25DF4BB2291A14B0DE0F505D29FD9C3AC47DA44FB05FFF59
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....2i....P.5.......2i....#............................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....r.2.#...]G.. .ORTELI~1.EXE..V......]G...XV.....s.........................O.r.t.e.l.i.a.C.u.r.a.t.o.r...e.x.e.......h...............-.......g...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe..H.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.C.u.r.a.t.o.r...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... .v.T..b...,.......hT..CrF.f4... .v.T..b...,..................1SPS.XF.L8C....&.m.q....

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Ortelia Space.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 29 10:34:00 2015, mtime=Fri May 10 02:10:45 2024, atime=Thu Oct 29 10:34:00 2015, length=25056388, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1167
                                                                  Entropy (8bit):4.6217157196958745
                                                                  Encrypted:false
                                                                  SSDEEP:24:8m9pyEVdOEipoDxK0MAnqBXdZ94w4dZ9BUUl7qyFm:8mrlVdOBOxVnodZ9CdZ9a7yF
                                                                  MD5:051CB6710B023B2B5C873502328BE657
                                                                  SHA1:57066E6AC43BDC620A3B736910B4E627E2C499CD
                                                                  SHA-256:D1C7D0B584B7C17B11ADD7BF09C6482D7F0F3E68E3F6E6785A02096C3D60B3D8
                                                                  SHA-512:AE07761D815C1D4C5F78725FB500E208CD114D095A50876E46B483C5496959BEC2216D7B5E1A897C687BE6389326F48F18D2A3D272C512347C6B2217ED664363
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....p.=...JWF.......p.=....T~..........................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....n.2..T~.]G@\ .ORTELI~2.EXE..R......]G@\.XW...............................O.r.t.e.l.i.a.S.p.a.c.e...e.x.e.......f...............-.......e...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe..F.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.S.p.a.c.e...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/.

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Space Help.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Nov 5 01:22:54 2015, mtime=Fri May 10 02:10:45 2024, atime=Thu Nov 5 01:22:54 2015, length=2857267, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1187
                                                                  Entropy (8bit):4.632731355018756
                                                                  Encrypted:false
                                                                  SSDEEP:24:8mgSyEVdOEipoDWe5AbqBudZ9454dZ9BUUlrqyFm:8mgSlVdOBOWFbVdZ95dZ9aDyF
                                                                  MD5:E164F22F789C4B39C158111148ECA744
                                                                  SHA1:92DECE005CE20D7F081199DE395687AEA8FF9E9F
                                                                  SHA-256:DECEA7BBC9CFAD2FA5864D6F15CAE63A182C45C46C32CE6FFD055CE5D744ED7C
                                                                  SHA-512:4EE9094A7E131D90A3D198C7166A6818ABC75D6D7F68606CAFD805B6EEB97E792133CF95326EED8111A84E95AB442D5A9AC923393B931B0A99A9D69FECFCF44F
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....u.p....@........u.p...3.+..........................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....v.2.3.+.eG.. .ORTELI~2.PDF..Z......eG...XW...............................O.r.t.e.l.i.a.S.p.a.c.e.H.e.l.p...p.d.f.......j...............-.......i...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaSpaceHelp.pdf..J.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.S.p.a.c.e.H.e.l.p...p.d.f.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C...

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Uninstall.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):862
                                                                  Entropy (8bit):3.399379771982475
                                                                  Encrypted:false
                                                                  SSDEEP:12:8wl0Na/ledp84/GmqRgK4CbdpYqzR3dJEMbdpYqzRBQ/CNUvH4t2YZ/elFlSJm:8JdO48P4GdZ9NW4dZ9COUFqy
                                                                  MD5:0542F0BD92995D6F3AEAE3B19F690F08
                                                                  SHA1:4D10870299C4C456478424FB063E80F4F707F867
                                                                  SHA-256:D1354451A78539C92B3B3A5DC0B75C0E4A84D9C905063F32DFF336DCABBACEDA
                                                                  SHA-512:30480CE68083008D5FA7AB5D7A2AD1BC62899CF194486BF2EC0D4E8738F4786372CCD0B13B646B371956B9B473DB570EAF440A6305F6405236FC330592535C00
                                                                  Malicious:false
                                                                  Preview:L..................F........................................................w....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".n.1...........Ortelia Curator.P............................................O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......@.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.u.n.i.n.s.t...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

                                                                  C:\Users\Public\Desktop\Ortelia Curator.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 29 01:56:30 2015, mtime=Fri May 10 02:10:44 2024, atime=Thu Oct 29 01:56:30 2015, length=44867363, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1159
                                                                  Entropy (8bit):4.633313513027766
                                                                  Encrypted:false
                                                                  SSDEEP:24:8mk2SH9/yEVdOEipoDlEWtHABqBjedZ9n94dZ9BUUl4/oqyFm:8mjq9/lVdOBOlztgB9dZ9n6dZ9afyF
                                                                  MD5:8824AB119990D7377843988B01413DFD
                                                                  SHA1:6FF47DF02D8FEF61B8DB4339462A8D6FF1C5403C
                                                                  SHA-256:B27C150515035A853440037214AC9B761C0B0BDF820523007C1B3AB5805B28FC
                                                                  SHA-512:BC594688EA5E8D5C30E45EDBACABD28477EB7155962790BA627B8779F967884F17250BB904BD96895DA42860A2F4AC58836C0057A9EC08098E18E31FC55189C7
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....2i....U........2i....#............................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....r.2.#...]G.. .ORTELI~1.EXE..V......]G...XV.....s.........................O.r.t.e.l.i.a.C.u.r.a.t.o.r...e.x.e.......h...............-.......g...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe..?.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.C.u.r.a.t.o.r...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... .v.T..b...,.......hT..CrF.f4... .v.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.

                                                                  C:\Users\Public\Desktop\Ortelia Space.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 29 10:34:00 2015, mtime=Fri May 10 02:10:45 2024, atime=Thu Oct 29 10:34:00 2015, length=25056388, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1149
                                                                  Entropy (8bit):4.638231837830744
                                                                  Encrypted:false
                                                                  SSDEEP:24:8m5yEVdOEipoDxK0MAnqBYdZ94w4dZ9BUUl7qyFm:8m5lVdOBOxVnfdZ9CdZ9a7yF
                                                                  MD5:EA2F3EE6CAA12CBAFEBCC3A42C9FF076
                                                                  SHA1:679F5F242D565AF03CE898002283CCDCE51E73AD
                                                                  SHA-256:9F4C661910E55D958AFEB191DA6B87517DB7AA0E2D2564A35E11B8F3609A28F4
                                                                  SHA-512:00CF8B1BD2C0D2638D0B2DA547A09D02AEE7EC87314C5C5835B6A3FF35D1BD2E26A678D71CDB77D282A9C54EE970668B6DF1E990832C9BBFF7EA829C9FD5B60E
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....p.=.............p.=....T~..........................P.O. .:i.....+00.../C:\.....................1......XT...PROGRA~2.........O.I.XT.....................V.....7T..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....h.1......XU...ORTELI~1..P......XT..XU.....q......................8 .O.r.t.e.l.i.a. .C.u.r.a.t.o.r.....n.2..T~.]G@\ .ORTELI~2.EXE..R......]G@\.XW...............................O.r.t.e.l.i.a.S.p.a.c.e...e.x.e.......f...............-.......e...........v.;.....C:\Program Files (x86)\Ortelia Curator\OrteliaSpace.exe..=.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.\.O.r.t.e.l.i.a.S.p.a.c.e...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.O.r.t.e.l.i.a. .C.u.r.a.t.o.r.........*................@Z|...K.J.........`.......X.......172892...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.

                                                                  C:\Users\user\AppData\Local\Temp\DX10C8.tmp\AUG2009_d3dx9_42_x64.inf

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:Windows setup INFormation
                                                                  Category:dropped
                                                                  Size (bytes):812
                                                                  Entropy (8bit):5.330465944123231
                                                                  Encrypted:false
                                                                  SSDEEP:24:M5+gJXIIO6ejBL389vjcz689vjHv89vjf:0+KXIIO6ejBL3K06K7vKL
                                                                  MD5:ECBEFD1DB4CB52D5089B1D4B20A08656
                                                                  SHA1:85134F773BCCFF3E874D27D7E79DCD1E9485C903
                                                                  SHA-256:4887CBEC8545B02152EB16F6296987A43A256B69B408330EAEE362184F298D98
                                                                  SHA-512:A50AFD834F0D892AF5EB33B9C6FFBB330DDEBCEBD123FC7F706F05EFAC9491B49DFDCFE6196F3B6A3C9F7FFEDF4FA723E0499F03417552404C0FB4F4FA3C046C
                                                                  Malicious:false
                                                                  Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"......; ---- Windows XP 64bit ----..[4.09.00.0904.00-4.09.00.0904.00_WinXP@64]..NumberOfFiles=6..Size=3462 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..infinst.exe D3DX9_42_x64_xp.inf......; ---- Windows Server 2003 64bit ----..[4.09.00.0904.00-4.09.00.0904.00_Srv2K3@64]..NumberOfFiles=6..Size=3462 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..infinst.exe D3DX9_42_x64_xp.inf......; ---- Windows XP Version 2003 and beyond 64bit ----..[4.09.00.0904.00-4.09.00.0904.00_WinNT@64]..NumberOfFiles=6..Size=3462 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..infinst.exe D3DX9_42_x64.inf....

                                                                  C:\Users\user\AppData\Local\Temp\DX10C8.tmp\AUG2009_d3dx9_42_x86.inf

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:Windows setup INFormation
                                                                  Category:dropped
                                                                  Size (bytes):1628
                                                                  Entropy (8bit):5.383478137127911
                                                                  Encrypted:false
                                                                  SSDEEP:48:0+KXIIO6eK/xOBrWxVBLOxonx7ZxtexXWxw:iXIj6eK/xO8xVNOxonx7ZxtexXWxw
                                                                  MD5:DFF48361A5CB0DEA034DC6F16DE99477
                                                                  SHA1:AFA417ACF7E9DA37923255A623EF34C7F6446C80
                                                                  SHA-256:5989DC367A8F84815BCFA1C46FF756527C6250C62973220D1AF354B70027EAF2
                                                                  SHA-512:750B69EEE07E7D6E7FBDBA722E2E1CE377729DCA5FE52B4D57D23DD2B80B28B3AF8403AA43C469A5042AD35EB09BA4DBEFC40A014A137E1B5D87E0F2DE203856
                                                                  Malicious:false
                                                                  Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"......; ---- Windows 2000 ----..[4.09.00.0904.00-4.09.00.0904.00_Win2K]..NumberOfFiles=5..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..D3DX9_42_x86_xp.inf, x86_Install......; ---- Windows XP ----..[4.09.00.0904.00-4.09.00.0904.00_WinXP]..NumberOfFiles=5..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..D3DX9_42_x86_xp.inf, x86_Install......; ---- Windows XP 64bit ----..[4.09.00.0904.00-4.09.00.0904.00_WinXP@64]..NumberOfFiles=5..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..D3DX9_42_x86_xp.inf, x64_Install......; ---- Windows Server 2003 ----..[4.09.00.0904.00-4.09.00.0904.00_Srv2K3]..NumberOfFiles=5..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..D3DX9_42_x86_xp.inf, x86_install......; ---- Windows Server 200

                                                                  C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.cif

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:Windows setup INFormation
                                                                  Category:dropped
                                                                  Size (bytes):66865
                                                                  Entropy (8bit):5.567626982635727
                                                                  Encrypted:false
                                                                  SSDEEP:768:Wn+OeDyG6lG9CVGQM6UP8XUUkw8KlNxLkPkjdARflPp0VZRTBM9oZPFASJu71N1F:V
                                                                  MD5:B36D3F105D18E55534AD605CBF061A92
                                                                  SHA1:788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79
                                                                  SHA-256:C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
                                                                  SHA-512:35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93CAF5082C987F0C63F9D953ED7CB8D9271E03B62
                                                                  Malicious:false
                                                                  Preview:..[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DXUpdate_Feb2005_x86]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=990,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Feb2005_x64]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1220,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x64.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x86]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1055,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Apr2005_d3dx9_25_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x64]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1317

                                                                  C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):177152
                                                                  Entropy (8bit):6.549767948531931
                                                                  Encrypted:false
                                                                  SSDEEP:3072:KU6LKKnw8i/9S7BLGKm/nuFV3uNgosUBxr+2y97CqGIpHtWMeJnQRLj+bTHyKaY:Iw8aIMrfuFVeNgosUBxra4rIZsqq
                                                                  MD5:7ED554B08E5B69578F9DE012822C39C9
                                                                  SHA1:036D04513E134786B4758DEF5AFF83D19BF50C6E
                                                                  SHA-256:FB4F297E295C802B1377C6684734B7249D55743DFB7C14807BEF59A1B5DB63A2
                                                                  SHA-512:7AF5F9C4A3AD5C120BCDD681B958808ADA4D885D21AEB4A009A36A674AD3ECE9B51837212A982DB6142A6B5580E5B68D46971B802456701391CE40785AE6EBD9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M.CM...M...MJ..M...M...M...M...M...M...M..KM...M..zM...M..{M...M..JM...M..MM...MRich...M................PE..L......M...........!.....j...n............................................................@.........................pw..V....j..........8.......................X...p...................................@...............8............................text....h.......j.................. ..`.data....:...........n..............@....rsrc...8...........................@..@.reloc..0&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\DX10C8.tmp\dxupdate.inf

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:Windows setup INFormation
                                                                  Category:dropped
                                                                  Size (bytes):12848
                                                                  Entropy (8bit):5.071095411173453
                                                                  Encrypted:false
                                                                  SSDEEP:384:eXTiDxtV0xxmBxbD6Ys7s6xHOJYwYdDxAp8xXZyUxIJM:eXiM
                                                                  MD5:E6A74342F328AFA559D5B0544E113571
                                                                  SHA1:A08B053DFD061391942D359C70F9DD406A968B7D
                                                                  SHA-256:93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA
                                                                  SHA-512:1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD
                                                                  Malicious:false
                                                                  Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"....[MDXDLLs]..Microsoft.DirectX.AudioVideoPlayback.dll..Microsoft.DirectX.Diagnostics.dll..Microsoft.DirectX.Direct3D.dll..Microsoft.DirectX.Direct3DX.dll..Microsoft.DirectX.DirectDraw.dll..Microsoft.DirectX.DirectInput.dll..Microsoft.DirectX.DirectPlay.dll..Microsoft.DirectX.DirectSound.dll..Microsoft.DirectX.dll......; ---- Windows 98 ----..[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_d3dx9_24_x86.cab]..NumberOfFiles=4..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..d3dx9_24_w9x.inf....[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_MDX_x86.MSI]..NumberOfFiles=1..Size=1788 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..Dependencies=feb2005_d3dx9_24_x86.cab..Feb2005_MDX_x86.MSI......; ---- Windows ME ----..[4.09.00.0904.00-4.09.00.0904.00_WinME_Feb2005_d3dx9_24_x86.cab]..N

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\FCollada.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2330624
                                                                  Entropy (8bit):6.003344734217147
                                                                  Encrypted:false
                                                                  SSDEEP:24576:YioBKbbti87ATl6OFpIPJ5siPs6FpAcQOowfp/CBzZBIfIF:IKbAeJ5sOdwBIf2
                                                                  MD5:D12F6E601E3BB68706A006E6DA5E11D5
                                                                  SHA1:EDAE1ACFDBFD6BBC344F3469F2ACDAD05D4BAAE0
                                                                  SHA-256:2B944B6A202EFB666C952057949B6EBE9AA7CA8916EE586BB1AAF7223FC8DA07
                                                                  SHA-512:41B9F96688AC269BC22577D821179923F8FE6DA8019E2D4877E09CD018F10355C8F5B3F54FDC62744AFAB2580D7F0FE6259704C72E1ACF774E49FC5E53E89CBF
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FW.4.6.g.6.g.6.g..g.6.g%.g.6.g%.g.6.g%.g"6.g.9.g.6.g.6.gv6.g%.g.6.g%.g.6.g%.g.6.gRich.6.g........PE..L......H...........!.....`... ...............p................................#.......#.............................P...|h...@".d....P"......................`"..... z..................................@...........8C"..............................text....S.......`.................. ..`.rdata......p.......p..............@..@.data........0!......0!.............@....idata.......@"......0".............@....rsrc........P"......@".............@..@.reloc..g2...`"..@...P".............@..B........................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cm80_Q3D.DLL

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):479232
                                                                  Entropy (8bit):6.032042710651012
                                                                  Encrypted:false
                                                                  SSDEEP:6144:pLj8Tfo4zrcq2FXOtO6lsut2fPzcDmhQh9Eubkc1OjPQnF:pwo4zATssukwqhQzEubP6QF
                                                                  MD5:43D40B4E6673D515A6009676BBBD6EFA
                                                                  SHA1:3CE5AFDC1E1F18A512B2ECDA71BF75A69E3738C6
                                                                  SHA-256:AF760459226AD038E9556D48CFA7B6BF686A3834FC694F0FEBE6EE4A7919D8E7
                                                                  SHA-512:FAC6615B678AD05505B4F4EA7343166A16E6D23A1265286C88803117E52360E23855E2FBF740908DAB32D0F9CB5E237D15758AE42D9A73896E5D9DC0315AC6BA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e/.f.|.f.|.f.|ZB.|.f.|.iV|.f.|.f.|@f.|..p|.f.|J.u|.f.|..v|.f.|..f|.f.|..e|.f.|..q|.f.|..w|.f.|..s|.f.|Rich.f.|........PE..L...R.H...........!.........@.......T............L|.................................L....@.............................d ..$...d.....................................................................@..............................H............text....x.......................... ..`.rdata..4Z.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..P$.......0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cp80_Q3D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):548864
                                                                  Entropy (8bit):6.401981856876486
                                                                  Encrypted:false
                                                                  SSDEEP:12288:b14yu7vZ0kPjOf1FcUt51U+hUgiW6QR7t5j3Ooc8NHkC2ek:b14yu7vZ0Ki9FDtrUa3Ooc8NHkC2ek
                                                                  MD5:336855174A8F8EC2854C9BF5DFF32645
                                                                  SHA1:284C66D0857FF398142D6F3F12C4EEB96FECC711
                                                                  SHA-256:2901B2F6727087D42EC4B40E319E827847ECD4D3C71F559D7B8C5E5442286CCF
                                                                  SHA-512:AC7D04315209646539DB3DD9F5B77A14C9A8AD110AA5D50F094FDF323DDF66231456F3D37FEF6D94AB00B16109465C583641CE88DCC75430B7752954ABAEDF7A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...Z.H...........!.....@... ...............P....B|.........................p............@.............................M...d...<............................ ..P2...S..............................Pe..@............P.. ............................text....;.......@.................. ..`.rdata.......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\cr80_Q3D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):626688
                                                                  Entropy (8bit):6.834110077145174
                                                                  Encrypted:false
                                                                  SSDEEP:12288:rb+HUIWn+P14Uy3rVLuNhr46CYf4mGyY:ryHRWn+/y3R6Ff4mGyY
                                                                  MD5:F0B72E15630D427D9293D4A528CCAF23
                                                                  SHA1:050FAA2CDCFF66EB2CDA2AB2B10489F3B50B4FA2
                                                                  SHA-256:01EBC78156571E208BBFFD53CBE3E2F141FC30B3E9B9D139F9A0CB3DD3CC9B57
                                                                  SHA-512:2C1FE166C304CA8E08E43002AB6041132EA12CD2653C94426573371F0FA6614D98131B68E392FAA6D38D8B12BFF33A0A78B4BAF6A1E4B546D31813EE737BAF5F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.L............@...........................;...............d...........................Rich....................PE..L...<.H...........!.....0...p......F .......@.....x................................%.....@..........................p...~..pb..<....`.......................p..$3...B...............................F..@............@..|............................text...J$.......0.................. ..`.rdata.......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\d3dx9_31.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2414360
                                                                  Entropy (8bit):6.682016081145454
                                                                  Encrypted:false
                                                                  SSDEEP:49152:9UIXU56pbC6gU8DJpHJLfdrKF322i0aGHhBoMWMNPbSVjeZgxl:OsU56hMU8DJpHJLfdrKF32R0aOBoMWcU
                                                                  MD5:797E24743937D67D69F28F2CF5052EE8
                                                                  SHA1:7D39AFBF94675487A9FF7E41D2DBB8DAEDF7AD00
                                                                  SHA-256:E2065619FE6EB0034833B1DC0369DEB4A6EDC3110E38A1132EEAFCF430C578A5
                                                                  SHA-512:8804D0D95688A932C7BF7E1A023179DE8DF3A5436E356B36D803CB9781F3A378ADB9FE69D03B28362755B808CBEB2CC718AB920672270DE0B954996996328F5E
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1...b...b...b...bA..b0..b...b0..b...b0..b...b0..b...b0..b...b0..b...b0..b...bRich...b........PE..L....H.E...........!.....(".........l.!......@"...@..........................p&..... ;%.............................P.".b,..X.!.d....P%...............$......`%.....................................H...@............................................text....&"......("................. ..`.data........@"......,".............@....rsrc........P%.......#.............@..@.reloc.......`%.......#.............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\3rd\psapi.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23040
                                                                  Entropy (8bit):5.7311085624044305
                                                                  Encrypted:false
                                                                  SSDEEP:384:pnIgG58SqAPukZuLs5HuaackL5WuPE8nbyfLqQcDb7kEuNOosmMLZWZjPAWURi:CgHSq841L5TPNtfoEu6uP4
                                                                  MD5:9CFCB3CA3D83B4EAA133F0644A2C6F31
                                                                  SHA1:B31A80D13C4E9DC5409F43C1B146ED2FF6DF3F1B
                                                                  SHA-256:CC0A76B55B38183B8C6141C290D1858A9D118333C804784AB305FE76A0FCE775
                                                                  SHA-512:9E3444B6A498C214A927221DF2F7A90B2BC37B4D1B84D8B98DD9A04D265164C165093ECF62009B6F9D3F414AE76A6B6BBDD86C4C538D2598A3D22D04E6AC4430
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Tf.@5..@5..@5..@5...5...:U.E5...:..D5...:h.C5...:T.A5...:V.A5...:W.L5...:R.A5..Rich@5..........PE..L......H...........!.....@...<...............P.....v.................................E..............................p........H..<....................................M..8...........................p...@...x...8............G..@....................text...J>.......@.................. ..`.data....2...P.......D..............@....rsrc................R..............@..@.reloc...............V..............@..B,..H ...,..H-...,..H-...........KERNEL32.dll.NTDLL.DLL..........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\HighPoly.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):159744
                                                                  Entropy (8bit):6.21365245061824
                                                                  Encrypted:false
                                                                  SSDEEP:3072:SlpOATdJMPMq8kEWkFLfaNgjl34BSZ8OO3valLXiAGk:SXQq5XtO3vasA
                                                                  MD5:3867731CA95F5212BEAD919B781B40AB
                                                                  SHA1:EE92652B65900BAA0C08FE805B6F0840879A1A60
                                                                  SHA-256:2CCC8188EBFAC06881DB09C144CDD4A66C848B53C2ED854DF10BDFDE49E4BB93
                                                                  SHA-512:16004A942AB38C52FC742B8E1F9E35F57C08291D693679BB7DB07E125065273C4F22524B860E66EAA8BFB3765D53AAB6A75A94AE40A8F513B1A43C0550956511
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 1%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%.~ov.~ov.~ovkq2v.~ov.~nv.~ov...v.~ov?..v.~ov...v.~ov...v.~ov...v.~ov...v.~ov...v.~ovRich.~ov................PE..L.....J...........!.....`...........X.......p...............................p...........................................r...................................P..P.......................................@............p...............................text....\.......`.................. ..`.rdata.......p.......p..............@..@.data...<....@.......@..............@....reloc.......P... ...P..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\3D Object Template 4.3.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):28605
                                                                  Entropy (8bit):4.153597742906632
                                                                  Encrypted:false
                                                                  SSDEEP:192:y4a1eo53grT1QC9WQniZ8mBfDzmlo4AeZHq6xWa:L5ugrTBWQniiY/4hWa
                                                                  MD5:D0AA8C5DD0719BD0EE53223DB6E81AC7
                                                                  SHA1:5EB02700E93F1CB03755F7AE221856BB87BB033B
                                                                  SHA-256:B738E982CFA61977307F22CF42EB8E55C4FC3C58DDAA167AF14DA38F65860BC4
                                                                  SHA-512:B2736698210F90252E7D6D63BFBD5FCBB38913B32D7CCFD7F883B481C63AE3C7E8BB67A6632748235FE0392D4D5D2EFA483D5DF980D9FDBEEFE16A531B2190D7
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....=o..NPMS....B...NPNE.....NPE3.....6...x.......vZfD.DDDA...@.M.~....~.HR.[.D.......D,.x.......!..A...S(..@5WfJ@hF.m.{.!..x........!..x........!Tv....4.Fr|.zF.rF..-4..!..x........!..x.......T.fA...=.....<f..,..cs%....x..........T.fA...p..........4..T.......T.T.......-r....Fz....38..38..38..38..38..38..38..38..38..38..38..38..38..38..38..38...T..x...x...T..............x...<......x...n......x...u.....T......-r....Fz.....m...<..........A..............8...}.........s...~.......c.................A....g....ff0._.uP<.............A....g....ff0._.uP<..T..............x...<......x...n......x...u.....T.....-.-4.F....I...m...<..........A..............8...}.........s...~.......c.................A..._...T....p..o.*.............A..._...T....p..o.*..T..............x...<......x...n......x...u.....T.....r|.zF.....I...m...<..........A..............8...}.........s...~.......c.................A......b........AQ............A.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\PSSM.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):79112
                                                                  Entropy (8bit):4.8940507810767695
                                                                  Encrypted:false
                                                                  SSDEEP:384:Qh3Kmoxj+m5Ftj+6lZ/zhJEL4DY63FY+NP7PC3GRCk+VQCBVZwddU36:ZmUFHHjgGL5NzPlc/c
                                                                  MD5:8E1131988792CAB6379DBC798E374502
                                                                  SHA1:3C27DB57E15E19E4653262F8912422A847AFB40A
                                                                  SHA-256:234297AFDE596C8B3424865B6F9D6966A0F3AB55E1F5BC5ED3D747DC7AEC8D3D
                                                                  SHA-512:2391F194D231E75F31A23ECF68C54662FE9E86B972E45FB1D79426B5630716A05C05D6AB7289C889539D394C0B05D092A66F1E447DE93C62561DCD931DCDBB11
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....4..NPMS....B...NPNE.....NPE3.......LUu.......+ji/.///D.......tN...22.4.{./L......./..u..........D....".T.s.i..G..w...UUu...C....B.u.........+....B.K..0.c.....KP....B.u..........u.......B.BiD........$...I.....B.B.u...u...B.B.B.BiD...w.......)...UHVB..B.....B.B......UU..y......a0.................I%S..a......3%...a...................%...aS%.....B.B.u.......B.B.BB.......BBB.u.......BB..u.......BB..u.......BBB.....U...L.....&...U...L...+.S.S.........K.....U.c.....y.......+.S.S.....C.i...0....BBBUBB.......BB.......BB..u......iB.B.BB.......BBB.u.......BB..u.......BB..u.......BBB...../.....K...K.Pc..................D...Y...............q...............}.......8..BBBUBB.......BBB.D..........h...;.$BB.......BBB.D..........h...;.$BB..c....UU....P...|........5..........b...5...D...5...Y..........5..............5...b.......D.......Y..BB..c....UU.b./.....K...K.Pc...53...Y...^......%.......^......%...b...^...D...^...Y....a.....^........a.BB..u.......BB..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\Shadow Map.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):220532
                                                                  Entropy (8bit):3.6323654562859264
                                                                  Encrypted:false
                                                                  SSDEEP:1536:LyB78xde7sUQf6E2UAr0E6C4bmNGUATGEABAcrGawleMj+GWAvmmakX9aXlwQ:bqV
                                                                  MD5:AF9EB510F9CC5885E6D24BFC56CDAAB4
                                                                  SHA1:AF19614BBB8A59326CAA24AE81C6C8CED75AE8BC
                                                                  SHA-256:F2EA4D39E77255DDCCD41C216A8CECE96709919F3AEA9916C9BFBDE1A56B6933
                                                                  SHA-512:7AD17DF95D1228E6BAD8BF0F833C6FCCA29996128A2D432C735682319B46DBA03E904EB36EFEF431C3EF81DA4C957C4A18C7E21432CF7A401AEDE615E1A8B9EC
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....\..NPMS....B...NPNE.....NPE3.....,WQ{.%%%N%%%..8.....-%%%v.....H[..@DQ.0..Q.X%%%X.....%%%X%%%.H..-%%%.*t.\z.8.\a4%.`&.H{{.%%%.n%%.H...%%%%%%%.H#. %%%./34..`.4..4`3.d/%.H...%%%%%%%.H...%%%%%%%.#.8-%%%... .....m-.x.......%%%.%%%.....#.8-%%%...].V.....@.....#..X%%%%.#.#.%%%.{.`.d.S`+%%~%%%~%%%^%%%%%X%w%%%~%%%%%%%3%%%3%%%^%%%%%XYS%%%3%%%%%%%.%%%YY.%%%%%.#...%%%.%%%.#......X%%%%.....%%%.%%%.....%%%%%%%.....%%%%%%%...#.%%%..4+`.4%y%%%.%%%.%%%.%%%.%%%=%%%-%%%;%%% %%%n%%%1%%%.%%%.%%%(%%%.%%%^%%%.%%%|%%...{....X%%%X....-%%%C........ty$.1.....X%%%X....-%%%C........ty$.1......%%%{.`.d..`+%.%. .x. .?\.^%%%%.%X%..%%)..%..%%Q%%%K.%%.X%%$3gX.%%%..gX%%%%%%%%%%%%YYYYYYYY%%%%%%%%%%%...#.%%%{.`.d.S`+rR.`....`34.`+%%%%%%%%%). .). .). .). .). .;;%%%o%%.-%%%%%%%%%%'?K.[..^X%%%%%%%%X%%YYYYYYY.....%%%.%%%....-%%%C........ty$.1....#.%%%{.`.d..`.3.{.4/4%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%....-%%%$.....O...-P2..f...#.%%%{./.8..4.3.d/%%%%%%%%%%%%%%%%%%

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weatherSystemInterface.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):83689
                                                                  Entropy (8bit):4.997909316290841
                                                                  Encrypted:false
                                                                  SSDEEP:768:RsvnIGLAl34n9u2kylchU4Eu4bBmWN9eSw+cDGa62u2t6xSKcmL7F:RsPIGLs3uu2kKcA/9vG9NIj
                                                                  MD5:4CCB4EF3F8FD6232F8D2432C491E45A9
                                                                  SHA1:E5DAF521205D3332B50CA8E5B068220F939DE4CA
                                                                  SHA-256:D1DB0A1650A8477E07A4DB10ED2744E79EA145E5388AB97A482444183E4CC64E
                                                                  SHA-512:B150D136EF227B744FF7FFF136DC97A0D7C61944CDB58EE8D28CF85451E40F3390AE083C6AB9E7274E8F663A52F0AA8102803CBDC45FDF8E270DBBD32E4FA44E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....iF..NPMS....B...NPNE.....NPE3....._..v.;;;f;;;..!K.KKK.;;;...B...C....5...K...;;;..K...;;;.;;;.....;;;....%.(!.%..;.....vv.;;;1.;;.....;;;;;;;..+..;;;.....].b.......;.....;;;;;;;..r..;;;;;;;.+.!.;;;.MN.6)..4.Gpb.s......;;;.;;;.....+.!.;;;..[.<~..q.....%..+..;;;;.+.+.;;;.o.....vmI..N.....].b.;;;;....;;;;;;;A..U...d;;;;;;;.;;;;;;;n*.;..Y.;;;.....+...;;;.;;;.+.....;;;;.....;;;d;;;....;;;;;;;.....;;;;;;;...+.;;;...7..;;.#..N.;...;.;...d.;.;.;..;.;.;.d.;.;....;.;.;.d.;.;....;0;...d.;0;....v....;;;......;;;....8..r.D..iQ.a....;;;......;;;....8..r.D..iQ.a...b;;;......vmI..N.....].b.;.;;;;.;.;d.;;g..;.d;;.;;;&&;;^.;;6.P..;;;6.>.;;;;;;;;;;;;........;;;;;;;;;;;..+b;;;.o.....vmI..N.....].b..l...7..;g...g...g...g...g...xx.;;.;;7.;;;;;;;;;;.J....a.;;;;;;;;;I;...........;;;.;;;....;;;....8..r.D..iQ.a..+.;;;Ib...;;;..%;;;.....2f.......\\f....>...\\f....b};;..>c...;;;;;.nc...;;;.+.....;;;;.....;;;d;;;....;;;;;;;.....;;;;;;;...+.;;;|.7.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):140075
                                                                  Entropy (8bit):5.028135396461035
                                                                  Encrypted:false
                                                                  SSDEEP:1536:SzuutdGLX3ACXXXXXXzzfdGtATGdcg2ooRCl1J8nY:S6utMLX3VXXXXXXzzfM/3
                                                                  MD5:8339330E37E3FFD09C915981E62643D5
                                                                  SHA1:1AA0853DD9C9B1C8D1244D9D525ED00B3EF3846C
                                                                  SHA-256:EA5747CA90F8F046C6FD12DC4916EDA6C8CD9F618BE4D2770C253FC96ACB230D
                                                                  SHA-512:966DC83C30058DB2EA076E03B88C735D05357A8D3100FAE189CD3167E2B1F593C411BFA60A0776A538BF62D1DFDCA59DDE815D8DBD630E11DDEC74EA9C4D961A
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....."..NPMS....B...NPNE.....NPE3......g............X...W...C..[D.;.6.tZ~.X......X..X.......X.XnW....^..#...t.}.X.......s..X.n........X.p......Jt.@.TtX.t.J....X.n........X.X........p..W...F.5"..p..rf..e..X.X.......X.n.p..W....D.F.t.^......6.p.....p.p.....t.Jet.C!CJt>........................J...J.........>...J...................p.X....1...p.n...........n.........n....d....Xn....d.....p....C..t.>t......"W......".......W............W............W...?......?........................g.......].p.n...........n....u.....n....d....Xn..........p....Z.C.J.........W......v.......W..............W............."W.................................g.}...............p.n...........n.........n....d....Xn....d.....p....!t...>t.......W............W...c......c...W..............W.................................g......(].p.n...........n.........n....d....Xn....d.....p....>..Je.t........W..._......_..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.clouds.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1055608
                                                                  Entropy (8bit):7.8138981352769346
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ndNrVevVny5c46kgSVb7hbTsl6Deq6bVRG:ndXiNYSUT6bVRG
                                                                  MD5:06CA8EF0320D560961903D66461BFC52
                                                                  SHA1:6C3B72C92624ECE68190E9FA6C02108A2CFD0458
                                                                  SHA-256:4BEA963C6F84D2366F57FBAE5E18B141861F61030AA5ECC6267CBFD0983DA507
                                                                  SHA-512:8FAE8040FCC10D1E5C716E25D662E961512EE9F4D9DF12F7954923E7E6822F911884314B96F15966F06B3F13C43D9CBF4F5F94396512AF6A5811CCB00C51FB08
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.......... / ..j.....[ ....Z...u..`....... ...J.. . ....[ ?.z.1.;j.1U. .9...... .1 .... ..i. ......9.....9... .... .... .i.j[ .m^w.].f..Y....\.... . ...i.j[ *.pX^.>.../...i... .i.i. .b.9...(.......... . . . . . . . . . ? LL. .i... . .i...I. ..... ..... . ..... ...if ...9.... ....fI. .....[ .....'...Wzka...fI. .....[ .....'...Wzka...... ..9...(.......... .......... . 6....C . 8. . ...) \<]. LLLLLLLL ...i. ............9.... 6y..6y..6y..6y..6y.... v .[ .9N...^[. LLLLLLL..... .i...I. ..... ..... . ..... ...if ..... ..#.nH. B .:..< B. C x:..u B. 6m-.6y...2:w B. . ) ....fI. .....[ .....'...Wzka..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.fog.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14542
                                                                  Entropy (8bit):4.758922871271289
                                                                  Encrypted:false
                                                                  SSDEEP:192:Rxrr3omUombH9hAsJE309hyHc2fflJ2cee8SiAzcvSr8:RxGM++Hc2fflJ2ceejiE8
                                                                  MD5:275857B8238CD126C0D80D2AA7A84123
                                                                  SHA1:5ECD1BAE2C33CDD9EA1BB92FCF5E5810AD40908A
                                                                  SHA-256:01B1919551B0232BF8F98D9A4C7954EA2B4A0D09C44E08D372902BCB3C06C0B2
                                                                  SHA-512:A8742F7D75DAAEF9C864744D3EE4359729562AAD58F3CF1040D831A67BF7A9040B45D9239F88D7FC134CF4BA7A5420573DF1AE5E1A12ED96CBA2B305B1254B82
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....N8..NPMS....B...NPNE.....NPE3......h.r.<<<.<<<.$YfYYY.<<<..X.I...q.P.....fY...<<<.fY.f.<<<.<<<f.f%.<<<u.....[$..<J.Mf.rr.<<<..<<f..%.<<<<<<<f...<<<..D....f...Dax.<f..%.<<<<<<<f.lf.<<<<<<<...$.<<<`._{_.bY..(.<.w..f.f.<<<.<<<.f.%...$.<<<.AQ@Dq..p..r%.e..(..<<<<....(<<<....D.."E"D.O..x.<<.<<<<<...<<<.<<<<<<<D<<<D<<<.<<<<<.<O<<<D<<<<<<<u<<<..1<<<<<...f.<<<1<<<...%..(..<<<....%.<<<><<<...%.<<<.<<<..f%.<<<.<<<....H<<<.x.fx.x.<*(....$x..O.D".(.x...D".(.x...D....D..rE"D.O...$....D..rE"D.O.++..L...r..H..<<<<..H..<<<<..h.J<<<<<<<<<<<<<<<...%..(..<<<....%.<<<.<<<...%.<<<.<<<..f%.<<<.<<<....H<<<.x.$."aDE<.<K......<<<<<<<<<<..<<<<a..G<<<.....@...<..e....<<<<<<<<<<..<<<<.v....r..H..<<<<..H..<<<<..h.<<<-.m....%..(..<<<<...%.<<<<<<<...%.<<<.<<<..f%.<<<<<<<....H<<<..DLx.fx.x.<<<<<<<<<<<..<<<<....<<<.<&n.<<..<<<<....<<<<<<<<<<..<<<<..#.<<<.o....r..H..<<<....%.<<<......dl..&.._..H..<<<....%.<<<......dl..&.._..(f.<<<b..D.."E"D.O..x.<."E"D.O..x.<.<.+<<k..<u.<<

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.gui.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):171645
                                                                  Entropy (8bit):4.419692638432846
                                                                  Encrypted:false
                                                                  SSDEEP:3072:+Ag29h/rQsB0/nY2Zbh6F7IPlX9WQo8/LqRAOHbdaKvt/+HIRBHWd2AaYOMoIvqQ:U29h/rFC/Y25heI9h7C37dl1GHk2Zrf9
                                                                  MD5:9600980CE7A32AE798D642078662D577
                                                                  SHA1:8776C5E543A4E1697B29D1021773155F22B295C5
                                                                  SHA-256:C386469F02D8B5054799F377E85DEA35025ACA1B29581332AA46ED3EF2DBDE65
                                                                  SHA-512:543997DF718909B373998FE2CC10BFE88003E3A3A4EC357EDCFAFAE63463C6875F0F7A63FB2FE2FA340A86D27260C1DFD9103821E0602627866EC314E332C1C5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....lN.........c.4.....P........5.c..b.B.V....6.....................P....8....4......fR........................cG.....T...fg....fT.................B...........4P.....JY.Y....@.!(fe..................4P...G..D.%B,{U]{...$.........$......fT...)<)T...}v..............9.......T...T...............T...................................$....................6................................T.f{.+...U..........4P....T..R&HB....b/.............c....N.gT...b..fT...................P...S$.!=.5B"O8-...\...........P...S$.!=.5B"O8-...\..$.g.....fT...)<)T...}v...)<)T...}v....K...,>...K..6.......b.............0..................................$.g......fT....<)T..........T.f{.+....,.G},.G},.G},.G},.G}........0P...........f..k#{......................$..............$....................6................................0........B............B...........$..........B............B...........$....................P...S$.!=.5B"O8-...\.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.lightning.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):3220823
                                                                  Entropy (8bit):7.449497583964116
                                                                  Encrypted:false
                                                                  SSDEEP:49152:EUtYjNMaFf0pDB7fGLzrAHtpCyRoHICyRoHh8hjq5arlkU0ON37Y:EcYGysp97fGLzkHj0HI0Hhf0CULY
                                                                  MD5:9259DCD85AB7DBA2DB1229785E6B0270
                                                                  SHA1:B1D1F8472F37CAB9DFB7FCE9966F7B5917DE7579
                                                                  SHA-256:DBC4797DB7B4FB92BFB20FF66EB655A89CD097C517F66C48F01ECAC8694CE202
                                                                  SHA-512:F3D72EFAF862B46D3292440F45FC5C8A7C118258BAEBF89CE0105A13DA6511A07686D5B3D2AA6A8BA3442F4AD95EA11ADCE3B1DFD4675A9584398E9387FEC0F5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....$1.NPMS....B...NPNE.....NPE3..........]]].]]]........[]]]...2._....85".+......]]]......]]].]]]...Z[]]]$.N...R...O.]^.......]]]:.]]..~Z.]]]]]]]....,]]]~7...I.........7]..~Z.]]]]]]].....]]]]]]]~.~.[]]]...wL...0.&.Z`~.~..]]].]]]~.~Z~.~.[]]].....D.G.e.,....~..~.]]]]~.~..]]]~........i....S.%.7.7%]]]x.]]].]]]]]]].CJ".TE.]]]]..].]]]]]]]p~..P]]]]]]x]]]]~.~..]]].]]]~.~Z~~.0.]]]]~~~Z.]]]]]]]~~.Z.]]].]]]~~.Z.]]]]]]]~~~..]]]..7...]]]]]]]]]]]]]]?..[]]]]]]]]]]]]]]]]]]]]]]]]]]]].O)[].]]./m]]]]].V]]].].]]]~~~.~~.0.]]].~~~Z[]]]n...V&..'.N..4{U~~.0.]]].~~~Z[]]]n...V&..'.N..4{U~~...]]]........i....S.%.7.7%]..S.%.7.7%]=..]..]].]]]..]]..]]|...]]]k.;.]]]]]]]]]]]]WWWWWWWW]]]]]]]]]]]~~...]]]~Z.f7.....%.7.7%....7...]]]]]]]=.,%=.,%=.,%=.,%=.,%..]]].]].[]]]]]]]]]]....H.J[.]]]]]]]]]]]WWWWWWW~~...]]]]]]]~.~Z~~.0.]]]]~~~Z.]]]]]]]~~.Z.]]].]]]~~.Z.]]]]]]]~~~..]]].7..S.l.]]]]]]]]]]?..[]]]]]]]]]]]]]]]]]]]]]]]]]]]].O)[]]]W./m]]]]].D]]].]]]]]~~~.~~.0.]]].~~~Z[]]]n...V&..'.N..4{U~

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.moon.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):399167
                                                                  Entropy (8bit):4.813682614838656
                                                                  Encrypted:false
                                                                  SSDEEP:6144:cuyjg+pkN8LZyJeQSZikho93On+ozrzyxBijwJ7jzAii9ZlO9BIWSTT9qs:cuyjg+C8M1AvWVDMA7XAf9ZlySWSTT
                                                                  MD5:30B9725C178761D00E25D1CF967D3FE4
                                                                  SHA1:141244A11B356188F67FC0B89797CB9DE956FF03
                                                                  SHA-256:2E3DC4FDA4F6853C3A8DEC9DF9169739332FDDADCE46DEFDA0192CA85EA4A64A
                                                                  SHA-512:F31F9CA52102C47B53C1811BD196577B0EC4D1657662D327676B6CFA66ED4CDDB0221559304EFA3DC3F01D7573415E32F454B54B0FDE8B053699DD2EAED02B6B
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....>V.om...<....=.'.'''.....s.wG..5~..G.J.'......'..m..............x{.u....u?.H...oom........m.........a......r...#........-r....m..........m........a......|^S.M.K.+..o).....m...........a......?..<..J.2..H.c.a3......a.a3...........O.O..4B4--r.U.....Z.../........x9..JY..............Z...h.9..........a..m.......a....3l........m...........m..........m..........a^.............4...r......#........O...............-.......-.......-...o..^l............3F...6..I{.&v.;..^l............3F...6..I{.&v.;..3............O.O..4B4--r.(............/......am.....n......n.`................................3a............O.O..4B4--r..............(...(...(...(...(77................/...c?..........O.........3.m........a....3l........m...........m..........m..........a^.....r.........4.......R.............................nC......+.......$...........o..^l............3F...6..I{.&v.;.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.precipitation.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):29384544
                                                                  Entropy (8bit):4.629779847070129
                                                                  Encrypted:false
                                                                  SSDEEP:393216:xhjHHHH880rdSSSSS/55555NCeIIIIIT+DDDwIe:xhjHHHH880rSCvIe
                                                                  MD5:B1F150420765BDBCDF6D77C15903CAFF
                                                                  SHA1:B66F221E09CD80F7CE0953ACFF71A6C6FF508F0B
                                                                  SHA-256:5C89D6DD7F982DA3362754B216CB78282AAE839367AC7ED78736139E5F0010AD
                                                                  SHA-512:71FC649B2107D292165D71DEF288FA4D3FD60828B975621977306C4975163F13B5795DEED84F085EDE652E794324DF4FC41731D677A98ABA3093054098B39615
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....^..NPMS....B...NPNE.....NPE3..............................c..8I.80.b|......'...'........'...........7b6EW...E1^.t........................I......^...(^..^...................&..........I......p.rO."....V..Qw........'.......I.......ud..q. ....[.0.I..'.....I.I.....x^...^.....^*V=.^(.=........^.....n....#........(...'......=.'........^.(..I......B....I...'.......................'.................I.............^..}......9......w....................).............................'...'..........)m.,&?`b...O....'...'..........)m.,&?`b...O....(...T^...^.....^*V=.^(.=.......^(.=.......V...........'.....'......]'.................................I(..........Tn..........^.....................44...+...............,...#.'........^.....................I...'.......................'.................I.....^..^......f......-....................M......S......K............h........'...'..........)m.,&?`b...O..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.sky.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):25292344
                                                                  Entropy (8bit):5.625601449565122
                                                                  Encrypted:false
                                                                  SSDEEP:786432:/xUMRQ0TLd3tcEnSBUFNjVzffir8yxirXKHSbRmAs+XWmN:/xUMRQ0TLd3tcEnSBUFNjVzffir8yxiT
                                                                  MD5:52D0AA8851470A55C91E5E92CBCFFB6C
                                                                  SHA1:F5D48619C2468633CA6861C5E1D90D4D3C3188F3
                                                                  SHA-256:4A00CE7A05AFA08B0237353F22D2508A117AEF10601499829DCF5D89F5DBAC7A
                                                                  SHA-512:1A5BA69214263B02C2B0D5CB6F21DDA276A7E782F11212C29150DD96A509503291378707B2B9F545BD98072F01A9D951624AED3CAE1918865AFDDE11D747E5FC
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.......NPMS....B...NPNE.....NPE3......].LS555.555.,..>...R555..I.>..)y..ji.>.-G555G>.>S555G555>.>.R555...wz...zD.5.xX>.LLS555.#WG>...S5555555>...;555....@Vx..>@.x./.5>...S5555555>.)>S5555555....R555I.R".4c..8...%.a.>.>S555G555.>......R5557....QoC.9}D2..w....G5555.....555...x...@.....d`...5.k..5555W.5.5<555.5.5...G...f6555.5.5G555.5.5W.JG.555555W.5.5...>S555.555.......CG5555....S5555555..-.S555G555..>.S5555555.....555.._x..55...x.kl....d...l.@.b....l.@.b...`..x...@L....dl.,.l..x...@L....d...,lL...L...CG555G....R555......7).....N....CG555G....R555......7).....N....>.555}.x...@.....d`...5@.....d`...5G56.55.<.5..55.555.S55.G55.@.G.555:\.G5555555555558888888855555555555.....555.L...q.._x..5.!.5555555555555555..;...;...;...;...;...555.55_R5555555555.xJ..R.G55555555G558888888...>S5555555.......CG5555....S5555555..-.S555G555..>.S5555555.....555@._.@555555555555553EGR5555555555555555555555555555<j..56G5.q.G5555.;555G55555...L...CG555G....R555......7).....N..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.stars.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8354651
                                                                  Entropy (8bit):4.6107002285192955
                                                                  Encrypted:false
                                                                  SSDEEP:12288:0GN+HCw9eFYVoV/g6z/mVOMyMbhj/hfjS7IxsH0SwuyqqF:0GN+HCw9eFYVoVLU/pJjS2yoma
                                                                  MD5:FC74A0C47E7A285D36DD507044707D2E
                                                                  SHA1:CE19AAF24FB56552E860878C43149B4D6CF595DD
                                                                  SHA-256:318BE8986586B825514C8EA9E5EBF867EF00A3AE4271DF23B16FCD5E908A425A
                                                                  SHA-512:2DBC1FB258025E80BD35D14EE6604BA64F0E2A955B6B72E1586595C71AE86C361D9BE804C1F06B130D56A7BC58753D3B704BA005B008FA2D35C8722070C458CD
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....z..NPMS....B...NPNE.....NPE3.....g%..b'''.'''F.8s.sssK'''*Wa.)t....[......s.J.'''..s..b'''.'''.,..K'''...p..8..EX'e...,..b'''.,''.,..b'''''''.,.F.'''.D.X...X..X....D'.,..b'''''''.,..b'''''''...8K'''E.7V..n..p...6e....b'''M'''.......8K'''5....,......w....''''....'''..X..rX....X.......'+.''''.''''.'''''''...>...4H'''''''.'''''''......>'''.''''....b'''.'''.........''''....b'''.'''..J.b'''M'''....b'''.'''.....'''.....'X'D'X'i'.'.'.'.'.'!'.'.'.'.'.'.'!'.'.'.'X'.'.'o'.'.'.'X'.'.'.'.'.'.'.'.'X.........''''....K'''1j|.=.0F.z...........''''....K'''1j|.=.0F.z...............''''....b'''''''..J.b'''.'''....b'''''''.....'''.X..X..rX....X..X.X.XD.X'.'.'D'.'.'.'X'.'.'X'.'.'r'X'.'.'.'.'.'X'.'.'X'.'X'.'X.........'''.....K'''.......v....h.....'''.....K'''.......v....h.....'''.X..rX....X.......'.T2>''''M'.'H<''_..'.M''.'''.b''..''..<'M'''..y.''''''''''''::::::::'''''''''''....'''..X..rX....X........*.X..X..rX....X..X.X.XD.X'_..}}.''5''.K''''''''''V.pz!..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Include\weathersystem.sun.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):57999
                                                                  Entropy (8bit):5.293878336750278
                                                                  Encrypted:false
                                                                  SSDEEP:1536:hniRRGBg26QXQxW+Dm5+DUcGj//Fgv/S++5c2:hniRRGBg26QXQxW+Dm5+Di/FgC1
                                                                  MD5:89C09CFA2A083503EF56D1888F8E7A41
                                                                  SHA1:5724D18595E89E7B2534951F34C6AA935BC480E9
                                                                  SHA-256:00CC6861E7DC27E0E7CFD70DA7883B93B33A963FC0A40250B2F260612FE0E644
                                                                  SHA-512:6241D3DEFD6F8D3D5054496BCC5C31B447054EC69FE364AC797006A84372EF985A9199B7B5734FFF689EDAB3BC193AF97E2980F4C6C8A3B435E90C5A3D41B45F
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......:..u.........[.1...Y......e3<dJA..>.V.1..J.....1.P1u.......1F1.Y....^.{.R.[...<.a..1F..u......1F..u.......1FV.......c<...<1.<.c.j..1F..u.......1F.1u........V.[Y.....:.MMJF.......1.1u........1...V.[Y....i. ..).<..ZX.|.Vk.......V.Vk....=<.cx<...c<'f.e...D......<.D...n.k.B...W|i*.....e.......c..F}.........<....V.1u.......V....k.........u.........J.u.........1.u..........V...e7..c<..............K.Y............................D...*..H.<.....S.........................Y....k....&......A%.............Y....k....&......A%...k1....I<.cx<...c<'f.e.....c<'f.e....*...!D.I.*..J....u..7..........BM...................................kV......e.n.e7..c<....................!s..!s..!s..!s..!s..tt...d...Y............}0Y.Yg.....................k1u........V....k.........u.........J.u.........1.u..........V....<..<.............K.Y............................D...*..H.<......n.........................Y....k....&......A%..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\Q3DStart.q3d

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):9842
                                                                  Entropy (8bit):5.431055572355543
                                                                  Encrypted:false
                                                                  SSDEEP:192:sxPKZM7p9rKYPcHpNdvhG0U/4X0jS7nx3B62izLGE:sIZM7732JU0UO7nJgxD
                                                                  MD5:FC3047BE118223B5C4F03AB817A5071C
                                                                  SHA1:241ADB8B6F8F1AD623332FC17314D93F496AEA71
                                                                  SHA-256:099ADD87EC835B9933545ECBCD50F75974653169D7E8967B088546168EF3DF60
                                                                  SHA-512:E1E8428213DBBD1BF545D5308F3C8F83C09A58354D7074A2120B0B019119215E091673BCA101A9EB6B7A72FEABD6AE5FC806B49116EF2893A70E75321A3220D9
                                                                  Malicious:false
                                                                  Preview:QSPT........QSGR....StartGroup.cgr.QHPV....?...QDDC........QNDB....7.V.[..M.zH.!...........?...........m...QNDB......i...bC..v}............?............^.]QNDB...._......O...............?............8.oQNDB.....-mg.!.J.....yj........?............-..QNDB..........N......{.........?...........J.:.QNDB....[.....M.s....z.........?...........+].EQNDB.....rs..,\O.Z3.R.E>........?..............LQNDB........k.`C.7..,lM#........?.............B.QNDB.....!....M..'.T. .........?..............QNDB.........%.I.c.............?.............T\QNDB.....U._iB%K.1.|.^.x........?............ff.QNDB....{.K.r.fA.9....7........?...............QNDB.....8...E.F..~.b........?.............LVQNDB....76..G.@G.a.G...@........?...........^..zQNDB...../d.@9.A...@...........?...........O..QNDB..........F..YF[Gu.........?...........l...QNDB.........W'D./..//..........?............H.IQNDB.....A..]..C......dX........?..............QNDB....7.C....I.....d.........?.............Y.QNDB.....'v.,8.K...UK........

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exe

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1812064
                                                                  Entropy (8bit):7.945081365035884
                                                                  Encrypted:false
                                                                  SSDEEP:49152:ZXcj6w4Bshsp23n+UA0GqZnk9MGWY7V0dOawoIn5:amw4BBgVRpnkZlB7a2
                                                                  MD5:16E05FBD59127A172B69DBAEA52AB595
                                                                  SHA1:3655FC9990CDCF90F91B0991E3382750F0E8ACC0
                                                                  SHA-256:38432BF3649FB00BB56EB7159F044019BF2994FD68C17CBFAC3EA72C2575175B
                                                                  SHA-512:1AD4C7A8EF1265609D712BF31CE62D788D7CE9CE7CFFDB344E8BB4939A92B05F5A5EEF01EB9A41FDB0C69FEFAD3DC513D65BC7AE9B18305F0190406D7C15ED16
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........#.................lC............@..........................@...............................................@..D.... ..................`............................................................................................text...:........h..................@....rdata..| ...........l..............@....data....%...........t..............@....rsrc........ ... ...z..............@................@......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\StartGroup.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):810438
                                                                  Entropy (8bit):3.9763619261024403
                                                                  Encrypted:false
                                                                  SSDEEP:6144:jK7yWEs9GWjt3YHgMz0VIyQ0Z+CX3pOtoqg:jK7yWhGWjt3YA1I9C1HpOtoP
                                                                  MD5:DED20ADFDF9F08E081C34E0E175B41CA
                                                                  SHA1:3A7AF51710EA63DF3FA23E8C3A8C6F393B690880
                                                                  SHA-256:4421EBA82D7266906CFB76727CE63E3BAA0E3583C1E614406049822A4235E030
                                                                  SHA-512:9955C29824ADE6028084A7838170D8E536BA14F635077FCAA731A5F7749607F6B1FBF575B80108EB0C3C18FFF88FFE040118769AEEC4E1F7E3B1FC91213C2F91
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....F]..NPMS....B...NPNE.....NPE3.....5&...........A#.....S.....5..uo....5..........................S...P1.4.I^#......'L.......................... ..........'....'..f........................... .#S.....^.3.].............................................................#S....ZS/y6_...?....q............_................. .[.....'..A#.........................V............................%.................................%..................................................................V..........................o..............c......................#S....ZS/y6_...?....q............................. .[.....'..A#......................................................%.................................%.................................%.................................%....V...................................................................................V..........................t. ............c......................#S

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\Deferred\Lights.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):335750
                                                                  Entropy (8bit):4.534771688561636
                                                                  Encrypted:false
                                                                  SSDEEP:6144:n6VImtUATYb2iMEqv+6oCT1YUR26L9B/e1SCAIHKHC8y3Fx63nuGMKEoFqLCV5CM:n6vkhqz
                                                                  MD5:B6D5C21C42A3A25328236E75BDFC3E33
                                                                  SHA1:105A520F0768251D80A3FAD418F0BB9DA191CFE0
                                                                  SHA-256:EBF1BC7070D84C6904602EA81CFFFDD35677291E71D35091E5FF5F5DF901101F
                                                                  SHA-512:A919D8E913ACB06BCD1099618846467621A7CD8A2600969BE5FBD4D5A31FF453466737CA23ED46798423A784013D1ACA75923DD06EDA563C495957FF435FEC6E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....oC................T....,.....N.$i..Z.R...N>...>......>.......T...Y=jz.x.,.6..{.+........>..."...............".'.?.....?..'}(....".......... ........".".T...C Z..\..F..S.o.."."....X...".".".".T.....W.:9.N..j.n6.."..">....".".....} }f.'...N.8.P.3.(.?..P.o.......'.P.....?...../.V.....(.....P.O.......'....."."........".".""..>...."""........""N....>...""........."""......?.3 }f.'......................................................................""".""..>...>""".T...y....ih \.j.:0..""..>...>""".T...y....ih \.j.:0..""..... }f.'..}f......./.../..:V..V.....Y........6...6...L...w...w.............)8..8...k..k..*G..T.."".....'.e..'S..?.3 }f.'........Z.........@.........:N..N..b..Y................"...........$...$."".........".".""..>...."""....>...""N........""........."""......}#..e.........................................................................""".""..>....""..>....""CN.......".".

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\Deferred\deferred.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):927650
                                                                  Entropy (8bit):5.103465541729651
                                                                  Encrypted:false
                                                                  SSDEEP:6144:Ofhsn8wwu1GI1sj4QDKWTsYKB5RszmuOssAsnMsX9BsTRJKeyosbbcRtYBoPhsri:OYlWcnbunRJenPWL
                                                                  MD5:0C2F5D303D4F28A508BE40F055974799
                                                                  SHA1:0CE40C31734015476DB53B2318EBD8EB1C7DD6CD
                                                                  SHA-256:F1A618950D1F4A92FA5E6AF629041A9701DC6885B6CDEC89A43CE8269018B977
                                                                  SHA-512:724F84027EBE99C5C4D7EB03E8CA74C224F19A3D5CE749F437912EF7B33EA27CEB16537110DDD33765A75A304693CF278DB373E8B6E37CA442632C1E417F0155
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS...."'..NPMS....B...NPNE.....NPE3......../....&....i.............y.....h.*......T.........................A........E..OV..//.....e...............m.....tE..OLE..EOtF................e.................R{...........b.........................(..|n......>....................E.E..E..E..E....<..............................................................................................X.....T.......................*....E.E..E..E..E.E.................................................................../..*................b.1=.e..A.GQ....*................b.1=.e..A.GQ......L....E.E..E...E..F.....w?..w.s.wwy.w.wgB.w..w..w9..w..w..w".w..w...wH..w?..w".w...wG..w.u.w......L....E.E..E...E....w...wHC.w...wH..w|..wq..wH..w.4.w.w...ww.w.s.w.R.w..w..wB..w...w..wg{.w3d.w........................b.1=.e..A.GQ......*....E.E..E./LE.E...9...**..}O......tO.LE..eF.t..............e.........../..................b.1=.e..A.GQ......*......O../LE.E...................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\Deferred\particles.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):405935
                                                                  Entropy (8bit):5.486697094694163
                                                                  Encrypted:false
                                                                  SSDEEP:6144:l/g/PUeJG0QayifosvPjXev8+hxaUbJdblUYMn4TKdtLB21ww/WkH+kV:l/g/ZJbff3bAPn
                                                                  MD5:777A233A707C332DA176246763ED19C1
                                                                  SHA1:A369851008403A912870E3A0FE232E7F536AECB6
                                                                  SHA-256:38F9B1D29931E473389DEAACC0AEA5D656E5DBD20DEF948D0BDAB2892571453B
                                                                  SHA-512:9E80C261B5AA217EC59883B2D776992A2345E3467C3AB1748F372DDE87AA06FD09155933170B63534E57BE4EE6B5D161CD834BE4E79C521D0A1DBDF0FDD9FD0B
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS..../1..NPMS....B...NPNE.....NPE3.....w.7.........%.%%%......s%.N...q!.).].%.......%F................[..{..g......E}...77...................^.........K.}..K.}.................O..........^......g.)Zj..f.:.Wk.Q..................^......+`....n...|.v....^x.......^.^x....x}K........".t..K..".w......."....o.I.&...I.f.K........}.I...K.}....^......)....^....x.............................................^f....}K...j..........................................................................7..f........f..................^....x............................................^f....}K..............................................................................7..f..............ho..7zd.B..\.....f..............ho..7zd.B..\....^....x.............................................^f...K...x}K.........................................................................7..f...............x.G.*.O...!#. ...f...............x.G.*.O...!#. ...x......}K.........[.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\Deferred\renderobject.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):95329
                                                                  Entropy (8bit):5.120860947836709
                                                                  Encrypted:false
                                                                  SSDEEP:768:jGqit+mH/v4X7tyTiROvtPVsXueZBUxMGfx17Qt5oBKzYzfdWFz3xjmJPDO6aqF8:j8vAyF1f7a
                                                                  MD5:BA1BB8522AB0869E513031FD6A72A11B
                                                                  SHA1:821AC466C4DF1DA5DDCF4531CD27D0823893F642
                                                                  SHA-256:004F66890FED18B3DBFEF961C627E20D43530FD76F142419D6ADEC4876371B37
                                                                  SHA-512:FFA4A2DBB02285017F1E6CF3F15560808D328C3A543D1C61622F874257D8EB0EA803BFB78911F3E797AEDCC116DE65BDA9A82825E89336228E036A5922EB58EA
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....s..NPMS....B...NPNE.....NPE3.......6........s7#........<..[.^f..u.X./..6id...d......d...j........T.-h.#f-...<F.j.........j^.........jYs....^.'.+.<Q..+.<'.;..j^.........j..........^Y^#.............V...^.^.........^.^.^Y^#......5..G..|OGQ5.^Y.^d....^Y^Y....6..).+.D....)Y;+.<.<%%.).).j^v....P...j^#....K.nC.8b...[..T..js..j......n...^Y^.....d...^Y^.^^.d....^^^.........^^i.........^^..........^^^Y8...6..).+.D....)Y;+.<.<%.%%.)....................................................^^^.^^8.d...d^^^........,.. .TW..4O^^8.d...d^^^........,.. .TW..4O^^.Q...+..).+;...Q'..Y!j2Y!..Y!R.Y!*.Y!J.Y!J.!P.Y!Rx.!..!.6Y!..Y!..Y!..Y!..Y!.^Y!..Y!j.Y!.4Y!*dY!..!J.Y^^.YQ...6..).+.D....)Y;+.<.<%.%.,Y!.2Y!.rY!.1Y!".Y!...!.@Y!...!..Y!.2Y!R.!..Y!*.Y!(.Y!&K.!aGY!..Y!..Y!...^^.....@...^^........m..|.e.....f.^^.Y8...<'+..........................................................................^^......,_..P..s....u.e.^^.Y8...#<'<...........................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\audio.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):3770
                                                                  Entropy (8bit):4.843051132666973
                                                                  Encrypted:false
                                                                  SSDEEP:96:QlmZifYylmCieUet5lmCiyetUNr6aqA848:RofY7peKpiNr6aqA848
                                                                  MD5:E54F8E73A0DDCB0F208150DF80B608E7
                                                                  SHA1:0803F1271235994A11E079D94B83F40E24385F12
                                                                  SHA-256:D46D9063403325768C0A5A604C0A0E51C423371E9DD3EBC3B23AA7C0A4D33591
                                                                  SHA-512:69C2A53944C00A7CD1FCB11ED853BEAF5DB1A4F4353BF39A57D8D07C3499F604C17C47593972914AF55696372F04956A0D033B1B61DE253798388C5F9C4086CE
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....:...NPMS....B...NPNE.....NPE3.........D..................E...n+.....c.w....0.........D........O.Q....x_.d(u..W(;r....O..D........O.QD........Of.V...Bbr6...r.6r.b..B..O.QD........O..D.......f.........)....*.....vv....D.........Q.f......A.. ...R.$<d.tC.fj......f.fj......{B....0...3....6.+.3..{.r...b.3...{.|...s.....s.T.6.b.r.|.....s...{.6...b.f..D.......f.Q..j........QD........0QD.........QD...c.....fT.....{B.1.|r.........................................................................T........Q....W......(z.;......T........Q....W......(z.;.....f.Q..j........QD........0QD.........QD.........fT....|....{B..........................................................................T.......Q.....jl...Z.]...n..T.......Q.....jl...Z.]...n..j......{......7Br............j......Pj..AT..js........O............g....1..E...f.....k...g3..Y..jf.......{B....|....{B....T..............O...,......`...v............0..P...Es..A..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\getBestMode.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):109234
                                                                  Entropy (8bit):4.374126879612819
                                                                  Encrypted:false
                                                                  SSDEEP:1536:8s99Hpoh30dEpQYWWYzvqzRU3VbORlwJFHMSLLeonAeTHarQxpit:fnAXQPit
                                                                  MD5:51B07CDEDA223B1A20F67B6807F30FCF
                                                                  SHA1:F596EBC25CDD1EC6FAFB847ABFBD2E655C4DC859
                                                                  SHA-256:7107273A04C408FC8448DF9C8F86E7489E8160D8136315869D90EE8E65CCC284
                                                                  SHA-512:ABF2451B2EA6D6D16EFF27F40D1D54CB0A51C7FDACD90F872F932159FE08AD1286A84F636A5428C58E42A3CE9154155E674CD8D34655C857D6450A3EE8605A0B
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....2...NPMS....B...NPNE.....NPE3.....`.uX]\\\.\\\....N...g\\\...HW.>R.4...N.u.@\\\@N..N]\\\@\\\N.N.g\\\.j...!....mD\.$EN.XX]\\\K.\\N...]\\\\\\\N...W\\\.T.D..$MDN.D$.B.T\N...]\\\\\\\N..N]\\\\\\\..g\\\.]...i..<ux...UY.N.N]\\\@\\\.N....g\\\.M~c.\......E9,...@\\\\...\\\B.ID\D\\\.\+\l\.\.\.\b\l\`\.\D\'\.\l\.\.\.\.\.\9\#\.\.\.\.\.\.\l\ \.\D\'\.\.\d\..N]\\\.\\\.......@\\\\....]\\\.\\\...]\\\\\\\..N.]\\\\\\\...|\\\.D..D'..I$.d.D..ID\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\...X..|.@\\\@....g\\\..h...f..?.......|.@\\\@....g\\\..h...f..?........NM\\\.D..D'..ID\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\...M\\\.D..D'..I$d.D..ID\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\...N]\\\@\\\....g\\\.tB.f..N6w0..ZH....|\\\..+..ID\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\.......@\\\\....]\\\@\\\...]\\\A\\\..N.]\\\A\\\...|\\\.BI..\

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.colourwheel.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1258947
                                                                  Entropy (8bit):3.7710460103037127
                                                                  Encrypted:false
                                                                  SSDEEP:24576:LqquNa6KNa27Ab85oOSrL3Qi7vhdwYddXYSOeTyz/mshtCoqkE6h1bMtZ9vqh4om:0
                                                                  MD5:6725CCCFAE708653A0C6226C3308C8B7
                                                                  SHA1:381219686EBCD55F7DBD0A7CCFC1C41E29292543
                                                                  SHA-256:67B53DDF21911F0F99CCF3491EA70617F057CF7B632FBB2257A30D8D977CD548
                                                                  SHA-512:6D8D15A6105A46223FC5AFA1377BE52069D0395AF39626A5CD027531C65DFBA2DEF9787C6FE4824C29F52F2498900091A355B61D3AE2888C2755DA0D4F8DBB57
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....C5..NPMS....B...NPNE.....NPE3.......Ny....]...K.......g.....2t....m...gq..N........1.............g...ad~.......k.x..yy..........'...........jK....'v.k>..Yk.>k...v...'...........@.........'j'.g...31.K!..e.7X....'.'.........'.'.'j'.g....Ds..e.eZT...D..'j.'.....'j'j..........>yk.kY..>................................. ...............................'j'.....H...'j'.''.D.....'''.........''..........''..........'''j....2k.....>......................................................................'''y''.D.....'''.g...`....:.@T.~...i9''.D.....'''.g...`....:.@T.~...i9''..Y.......Y....>..kk..._ir..ir.qir..ir..ir/.irQ.ir)*ir.*irQtir<.ir..ir..ir&.ir..ir..ir..ir.Rir.uir..ir+.i''.jY.........>yk.kY..>.62k.....>.r..ir.5ir.zir.Oira.ir..irQ"ir..ir&Oir..ir..ir..ir+.ir..ir..ir..ir&.ir).i''..........''..g....B.-b..@C.g.P.Z.''.j....Y....>aN..;...jK..........22.'v2..vYk2.@.2....'...........@.........'.y......'.'j'.''.D.....'''.........''......M...''......M...'''j.........

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.editbox.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):90889
                                                                  Entropy (8bit):4.624624721398593
                                                                  Encrypted:false
                                                                  SSDEEP:768:yPAcDjxI5FvjyGR35A9Y0n/LrCb+/H5fvrJcPaN8dG:hcDjxI5xjJ+9Y0n/LPH5fvrr
                                                                  MD5:94C90DC3E1146BFB0CE0728B94B07011
                                                                  SHA1:DDC34E9C11E53B04EFD86D86642CFD5693C502DC
                                                                  SHA-256:192367D0A9EE9215C922C85B96C185557C2F743693CF27A637C6CF2CC8BD0E3F
                                                                  SHA-512:A9B0C6C2202AEF8E5084C0AFBCE88B2310511B7AB591AEAA9BF81B1A4FEC098DDC1842609B0C83EB52274E9328352ED0B0AC673B1F9681914E7BF772B6099FCF
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....b..NPMS....B...NPNE.....NPE3.......v..........P PPP....D...ky.hl...Lp&. P.US...S P. v...S... 2 ...........{......R 2..v....... 2..v....... 2.......r.....i. ......r. 2..v....... 2V v...............7.!...h.......). . v...S.... .........Z.W';N ...0........S............Uq....]..U.....u.....z.....C.........s.C..~.....8...h............. .C.......... v...>...........S........v...S.....U.v...3..... .v...3.......h...u.q.T................................................................................h.S......h.S.......Uv...............S........v...S.....U.v...3..... .v...3.......h...T.T................................................................................h.S......h.S.......Uv...............S........v........U.v...3..... .v...........h.....g. ..C...........................................................................h.S......h.S.......U........................S........v........U.v...3..... .v...........h...V... ..C.....................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.fonts.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):13273
                                                                  Entropy (8bit):3.5987560609108
                                                                  Encrypted:false
                                                                  SSDEEP:384:aRF829PVI829PEI829PYI829PuI829PRI829Pg3x:ukzTBIo
                                                                  MD5:AD3E36FCB248D3CB4A5C460B51FB4BEE
                                                                  SHA1:AC7B94362EB84B796542E6104CC108BB1E01C1BF
                                                                  SHA-256:FA5A825DE3663EFC9A1AD3BFC039C13047D2213B4F8EC726EF30F5DBB072D44E
                                                                  SHA-512:4F3ABB565B20EDD82657D3192E2E3A3C6EDCF19CD0632052B8D35CC0F865D9876F4D2D4273D86CBD46C34B537146A7350694F1484884EFE4B65FAA271359236E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....Y3..NPMS....B...NPNE.....NPE3.....:...Z...b...-...+.......Js&@=....K..+.`.+........+..+Z.......+.+....[...."..A.Mk....+...Z...$...+.(.Z.......+.-....(.k>..k+>k..]..+.(.Z.......+.9+Z.......(.(......~q...a...ENL..(+(+Z.......(+(.(.(.........,.Q9.#..$..(..(.....(.(.......].L........&...].>...&.:...k.L...&.P.....^.S.g...S...>...k.......S.+...>.....(.(+Z.......(.(.((......(((.Z.......((..Z.......((+.Z.......(((......].L.k........................................................................(((.((......(((.....^d4..+2.....((......(((.....^d4..+2.....((.+.........].L.k6.Yp.Vep..Wp..Wp.. p.. p.B.p...p...p..3p.*3p.y.p...p.c.p..op..op.r.p.HCp.jCp...p...p.F.p((.......].L.L...k6..p.............[...........Y...VZ...=...=.........BI...H...H......*...y.......c.....((.+Z.......(+++Z.......(+(.Z.......(+(.(.(.+.+.Z.......+.(.Z.......+.(......^d4..+2.....+.-9+...Z.......+.(.Z.......+.-.....].L.+.(.Z.......+.9+Z.......(+.....(+99Z.......(+.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.help.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1109
                                                                  Entropy (8bit):4.732836257296932
                                                                  Encrypted:false
                                                                  SSDEEP:24:pfwzw9xlwvJH0FRl4SlR79/rWPRjb7e8W6b:C2eARmSDpSPRLe8W6b
                                                                  MD5:4FC9F62B7329C8CA55573FA0B8BD30A8
                                                                  SHA1:CC268C001001652EAE36F2C72C7BE941F5AF5EF4
                                                                  SHA-256:D3C90BF779D03E84BE749071E6EA763DF79976E2C600FF1989B884305917E72F
                                                                  SHA-512:E6039BD0F2B0AF060EDAF01CAFDA993BA56C3EE29D30B3FE3E3C4BF2FCE0F861B4D09C0C426BC11BB71D1F45B6873FC9F2E37806E14962988D2938AABFE945E7
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3....._..........vZb^bbb.....].m....F.c.F.8.^b.8f...f^b.^....f...^;^......0.z.`.Z..5..,^;..........^;..........^;|.H.....D.G....^G.D/.^;..........^;.^.........|.Z.........e.^.n..u..^.^.........^^^.........^.9........^;^y....f...^;..........^;.Z.....g.k.:O^.}l.7...^;..^;.........^;..........^;|.....j.G.....^;......f...^;.^.........^.Zf...f.^......f....^.Z.......z".$..#X#aF.I...u?..E..aU.C.^.^....f....^.Z.....3.<..g.q....`..^...|.^.........|.....~f..................8...........^.....f......|y...D.dD...............................................................................y~f.....|.....~f.................8...........^............|y............dD..........................................................................y~f...f........b....y..;.y.6`.^.....y~f....^;..........^;|.?.....dD.^;..........^;.^................d..j.....................8|Z...|...y^;...|.8|Z..8|.^;......9^.}..^.R9.}8v9.^;.^......

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.load.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):2141
                                                                  Entropy (8bit):5.439315162932203
                                                                  Encrypted:false
                                                                  SSDEEP:48:Hyvlp5LbIS1SoWBGIiRoI7bW4NoIitOEoIxeIbygoIoj8ZTWG:HydzcSwBfiRV7rNViUEVxeI+gVoUTx
                                                                  MD5:CE58E246ADA52A7FFA052E4FD80B52C1
                                                                  SHA1:574E9BAC05F7FF4794E3DFD59E5A3D5BDD86EF65
                                                                  SHA-256:06BD346B372CDEA842405CD3313155CE12BB14726E9F1BF0B92DE48E8A21B2B2
                                                                  SHA-512:F145EAE6A5055EB390FB579C92AB11F95AE558D3539EECC438B859C9525D9F4E23BC8AE928E418F42A0CFB985B86EB12713D5D177189BE0B850F4D0D955504D0
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.......,]P...S...Dn......4....1.x!....2e+.....,.m...m...P...m....+..4...U...V..B.\.. ...+]]P........+..P........+.D........>..0..>.......+..P........+..P...........4...S..`....pD.X.......P...m...........4...!..j......)Ww.*...9.m........9............'.....>.j.........z........u.W.....>.............>........P...m.........9qm........P...........P...........P................................................................................................]...qm...m....4....9.rx.@.&..Z.|.;...qm...m....4....9.rx.@.&..Z.|.;..9.0......:.......&.Uh@.U...Uo..U..U9.U...U..U.c.U)p.U.I.U9..UU..U.v.U...UO..U.!.U.h.U3v.U.{.U(M.U-....9.0...............".U3..U4;.U.p.U...U=.U4..UpB.U`!.Up;SU(.SU..SU..SU4..UO.SU.fSUU.SU.ISU).SU`{SU..SU..S..9.P...........P..........WP...m............+..P...e....+..P........+..4....9.rx.@.&..Z.|.;.+D..+]]P........+..P........+.D(...........+..P...m....+..P........+..P...m....+..P........+

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.objects.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):515461
                                                                  Entropy (8bit):4.4090572222077125
                                                                  Encrypted:false
                                                                  SSDEEP:6144:PaHT4Z5N/IeCj4F0HRA7DftU/3ckkJi9bXO+ADgiOQz:7nmw
                                                                  MD5:0EA9957AC94A5C59334BBD6C0CC98BC8
                                                                  SHA1:136038610D14037E94EC7A5CC5D9358F9A9190BC
                                                                  SHA-256:73B1AF54E374A685ECDE44B26411FEA147646B2578B7B271B2971E2392F6BE8E
                                                                  SHA-512:C8F434EB0FF5D29240ED3B2FBE50B650FF10CB3C9C790EEF57E9F03CD54FE20B72D346737201E99B3B464F19137495D1D6033B82F3598F73348B7177D16869FA
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3........I....2...@...............C..Ud...,.1...........s.................-`*........<.B.;..II....L+....Z...........G@i...ZJ.<.K..<..<..1.J...Z.....................ZGZ.....II...y^....F..\.Z.Z.........Z.Z.ZGZ........)...g*...B...ZG.Z.....ZGZG....1.....J.....[.................<.8.....g.<.!...............m...k...8.<.......:...ZGZ.....N...ZGZ.ZZ.k.....ZZZ.........ZZ.........ZZ..........ZZZG_...3..G..<........................................................................ZZZIZZ_k.....ZZ_k.....ZZ..........ZGZ.ZZ.k.....ZZZ.........ZZ.........ZZ..........ZZZG_......G..<........................................................................ZZZIZZ_k.....ZZ_k.....ZZ..........ZGZ.ZZ.k.....ZZZ.........ZZ.........ZZ..........ZZZG_...y1..7.<........................................................................ZZZIZZ_k.....ZZ_k.....ZZ..........ZGZ.ZZ.k.....ZZZ.........ZZ.........ZZ..........ZZZG_....<1p7..................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.private.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):21462
                                                                  Entropy (8bit):4.854571078378696
                                                                  Encrypted:false
                                                                  SSDEEP:384:ncQl5PJ5Ozx4Cpp+wEu9kk2w3dGBT+KefHWGZmJuz/3t3uLUanifBT:ntZJINXv8anfHWYB/9CiN
                                                                  MD5:25FDF45A4DC8140F98E0E4DBA0735AFE
                                                                  SHA1:72A1D05F6AE369556798E983958636B7BC43F937
                                                                  SHA-256:0D1E4B128CDCEB7DCE5D9DE4992B54C9F6A3E297F3430310B77E268CA08FD214
                                                                  SHA-512:A17906DF202DE1E6509FD8857F09A043E6BD5C56DD7B6A5628249B4CC445EA3044DA7687EF59937EF0AFB2B9D1067E25A5DE2604A4A09F975BE8A1C286895E60
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....VS..NPMS....B...NPNE.....NPE3......y.c.ZZZ.ZZZ....o....ZZZ.f..x....0.....mo..D.ZZZ.o.+o.ZZZ.ZZZohoz.ZZZ.X.<.....=.Z...ohcc.ZZZJ&ZZoh"z.ZZZZZZZoh..jZZZ"..{n.4.o{.....Zoh"z.ZZZZZZZohuo.ZZZZZZZ".".ZZZ.:s.DEh.w!b...."o"o.ZZZ.ZZZ"o"z".".ZZZl..C..h........".P".ZZZZ".".PZZZ.>..4...u...ZZZZZZZZZZZ.ZZZZZ.ZZZZZZZZZZZZZZZZZ.ZZZ.Z.Z.ZZZZZZZZZZZZZZZiZZZZZ.Z"."o.ZZZ.ZZZ"."z""P..ZZZZ"""z.ZZZ.ZZZ""Dz.ZZZ.ZZZ""oz.ZZZ.ZZZ"""..ZZZn..4....ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"""c""..ZZZZ"""z.ZZZ....c..o-|.S8..""..ZZZZ"""z.ZZZ....c..o-|.S8.."."z""P..ZZZZ"""z.ZZZZZZZ""Dz.ZZZ.ZZZ""oz.ZZZZZZZ"""..ZZZ...4..>..4....ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"""c""..ZZZ."""z.ZZZ8P...w.u.t......""..ZZZ."""z.ZZZ8P...w.u.t......""Po4ZZZ,..B.{.d..ZZw..x........v...^...v..0..........IX...e.......X.. ...?.....ZM...v..*...?@....O.""P.4ZZZ.>..4...u....H...4..>..4....ZOb..........;...;...Z...1.............;!..Zv.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.scroll.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):432667
                                                                  Entropy (8bit):2.088163082244755
                                                                  Encrypted:false
                                                                  SSDEEP:768:hgthj4fDJQdoRBv1INdUjaj8DhnZRrUjchJ:hgtl9lY
                                                                  MD5:EADAF3A951D938C8ADB1E58101321C9B
                                                                  SHA1:7C9F704560617784588382068B35FEF815F17047
                                                                  SHA-256:A490ED4BA3B8339061B4D178158FC70676CEBE1AC9B6359CDECB81CDE649128C
                                                                  SHA-512:01181204270A13849AAF0C6C082CC811313EFB2CEAB1FA0FA25138E484B79467427939F1C2660328BB4C4725152087A5BB19052F63067C6185794E6F89528A66
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......TR.+........ZCZZZ5......Y.E..&...w...CZR......CZ.C+.......C.C.5....v........6s...NC...+...H...C.a.+.......C......a.gs=E.8sC=s.g/M.C.a.+.......C."C+.......a.a.5...gD.....\..S...maCaC+.......aCa.a.a.5...N.VBn.@".#..f..]a..a.....a.a...../.8=M........ ..{$.B....... ....... ..>..i........ ....... ..T............ .a.aC+......a.a.aa.......aaa.+.......aa..+...y...aaC.+...y...aaa.Y...]/7gU.s........................................................................aaa.aaY......aaY......aaT.+......Ca.a.aa.......aaa.+.......aa..+...y...aaC.+...y...aaa.Y...Us/.Ug.........................................................................aaa.aaY......aaY......aaT.+......Ca.a.aa.......aaa.+.......aa..+.......aaC.+.......aaa.Y...7=.].8=M.......................................................................aaa.aaY......aaa.5...G...u.["3..mq(.aaY......aaa.5...G...u.["3..mq(.aa.C8....^/fn8=M...7..n...n.>n.;ln..>n...n.;7n.}n..en...n.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.textures.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1250860
                                                                  Entropy (8bit):2.9495758247146906
                                                                  Encrypted:false
                                                                  SSDEEP:1536:wTFsihqt2i7mKNB7j9BN3GrtiiqXtZibE1IdiiJ3OGivRgiOt2ic6giFaJyXiWIJ:jNB7jxlqB7j3W1
                                                                  MD5:1ED3D0F5624795F0CBA595A6DAAA35FA
                                                                  SHA1:5E360EBF742E357607125A6297C8544011EF212A
                                                                  SHA-256:640A1A727311CAE73B2E4EEF690A529138F65B801047496CB01681F5C094AB1E
                                                                  SHA-512:2C1E8403D6DEB6B7C4CD95C7F07B607C08683687D880CC58890266BE7D98BA8667C7B7D403CC16A8724B369C68277D4A17EDB75A76C7E187CCA1887E129C7212
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....<4W.....%.../.H.N...,....k7n.....N.}...N.Wqs...sN.ZN....s...NaN.,...E.z6..H+...._.nNa.......8..Nap.........Na./....p.}.....N..}. ..Nap.........Na.N........p.pH,...M...fr.......HpNpN....s...pNp.p.pH,.....C..$J......p.rps....p.p.r.........G}......m... .....m.<.......}.m.{...v...............}...v.......N.......}.p.pN....s...p.p.ppr.s....ppp.........ppq.........ppN.........ppp.........G}........................................................................ppp.pp.s...sppp.,.....$...N.U..32,)pp.s...sppp.,.....$...N.U..32,)pprN.......}.G}.........4.....................O4......................4.......................4.........ppr.........G}......4......&................4......g................4......................4......y......pprN........pNNN........pNp.....s...pNp.p.p.NaN.....R...NapY....ooooNapY....s...NapH,.....$...N.U..32,)Na/.Na..........Nap.........Na./_.......G}.....Nap.....s...Na.N........pN.Hs...sp

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\gui\gui.top.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):66433
                                                                  Entropy (8bit):4.273569498212104
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ux19KwduixhCTLhIY4f0h4SVQ+2QS3UZYi80bD0SPgzHkU+GRbf:OKwdBCTLh0k4Sd2Q2vi80bD0SPgzNj
                                                                  MD5:CB20B744302781E16AD5F781FB3BAD0C
                                                                  SHA1:F67AEF34FDBD7E133B7ED3F564A944C1370F0D1D
                                                                  SHA-256:57B20281FBAD9ADC48A3D045D987E2D417A47CB43BD1041564D17D0B4B19202B
                                                                  SHA-512:12130539B3A7F883D237A7D757DA9FD014F7BC83ED3BDB14FED1945B7A32AC7880B09D3F86CE6CD8549020408C7C7E1D3EC2C3DC3EC6694D909BD90CBD3E2CEA
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....%..-.@@@j@@@....'....@@@L..V.f.G..v.lP..'...@@@.'.$'.@@@.@@@'.'..@@@..O.d.>.d..@..u'.--.@@@.@@'.i..@@@@@@@'.w..@@@i..}..'.......@'.i..@@@@@@@'.'.@@@@@@@iwi.@@@N)....Z.Oeek..6Ki'i'.@@@~@@@i'i.iwi.@@@I6.{'.......o.iw_i.@@@@iwiw_@@@...d..@@@@@@@@@@@@@@@@@@@@@@@@@.@@@@@@@@@@@@@@@Y@@@@@@@@@@@@@@@@@@@@@@@@@@@.@@@iwi'.@@@.@@@iwi.ii_..@@@@iii..@@@@@@@ii..@@@.@@@ii'..@@@@@@@iiiw.@@@......@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@iii-ii...@@@.iii..@@@._..J#Q..O....ii...@@@.iii..@@@._..J#Q..O....ii_'.@@@......@....@J.\*....h....h...n.E.q..O.q,.........J.U.z.....^....=.n..ii_w.@@@...d..........@....9J.V...,.._..4.n....._y.9i..L....\-.......l...&.....&....ii_'.@@@@@@@iwi.ii_..@@@@iii..@@@.@@@ii..@@@~@@@ii'..@@@~@@@iiiw.@@@......@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@iii-ii...@@@@ii...@@@@ii...@@@@@l.iwi.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\help.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):177828
                                                                  Entropy (8bit):4.722845228785366
                                                                  Encrypted:false
                                                                  SSDEEP:3072:SIgefe4gggggTU0dnyiRiZkHmKcvqCABrSM+:RiQkH6vqu
                                                                  MD5:44CF213D2C01ACA1E31897C92603E19B
                                                                  SHA1:1D324C981BA15004787F6ABEA8503193742530A7
                                                                  SHA-256:F7DC129B123EAFDC12B89F0EBBBA5724667505E7EDC8CFF13F615ECB2251FC64
                                                                  SHA-512:28248D9F1370A1875ABB5220FE53FB470647F7C472BE9FB3C54B5AFCD3E17DFAE889324D7123080F93DA8E523EB76F6660585BD42775FEFCE3A8388A5964667E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....$...NPMS....B...NPNE.....NPE3......".C.GGG.GGG<..v...\GGG...Iu^.._-.....3v..>GGG>v.v.GGG>GGGvfv.\GGGW~n.k6..k(xGa1.vfCC.GGG.QGGvfw..GGGGGGGvf.<.GGGw..x.#1.xv.x1.5..Gvfw..GGGGGGGvf.v.GGGGGGGw.w.\GGG.s...?!w.`...g..wvwv.GGGGGGGwvvv.GGG.GGGwvw.wvw.\GGG..'>...w.....!@.wv.v>GGGGwww..GGG..x.fx.GG.G.G.G.G.G.G.G.G.G GxG.G.G.GYG G.G.G.GQG.G.G.G.G.GxG.G5G1G.GvG G.G1G.wvwv.GGG>GGGwvw..GGGCCs0..4....."...u,e.T..+....P/wvCww.wv.GGG.GGGw.w.ww..>GGGGwww..GGGGGGGww...GGG>GGGwwv..GGGGGGGwww..GGGm ..... ...5..GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGwwwCww..>GGG>www.\GGG..........n.....w.w.ww..>GGGGwww..GGG.GGGww...GGG.GGGwwv..GGG>GGGwww..GGG.1.xG.xGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGwwwCww..>GGGGw.w.ww..>GGGGwww..GGG>GGGww...GGG.GGGwwv..GGG.GGGwww..GGG.1. xGxGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGwwwCww..>GGGGw.w.ww..>GGGGwww..GGGgGGGww...GGG.GGGwwv..GGG.GGGwww..GGG. m...5..W

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\math.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):17543
                                                                  Entropy (8bit):4.4486607877589615
                                                                  Encrypted:false
                                                                  SSDEEP:192:xJv1QXs1iE0IpF1T033siIXD3bimcY0gesB031fsdJ3+:rv1Qc1iE0IpFJ033cWsQlYJ3+
                                                                  MD5:204710C7C4AB28C0378FF2833AD4572A
                                                                  SHA1:1261F74FED0FB3110264B61D22D38BBF1CFCF3DB
                                                                  SHA-256:43BA054586EB7377B3EA629EFB223D85A0E8522DA52F1B6A1A9EFB44B3E74EF5
                                                                  SHA-512:C6329750DB5011E213069173A547E0E725206AE367283EE864B75281F41169883D74A29EA93923B45D4996F9ADDE9AD303D8004D5C034059B87A1F2B2BB8CB23
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....D..NPMS....B...NPNE.....NPE3.....j1.;..<...X..u.uuuO....*<.x..-.......u.SP...P.u....P.......O....b+........d..4...;;...a...............X2....~.d..4.d..d4...~........................O....+.......6..................O...<...R.....ZP..f...5.P........5......~d94...S...y.0......y.j...d....y._...~.d................y....d...........P.........59P................S....................-....d..d~..~.d..d....................................................................;..-9P...P....O...N5..:ih.z.+w.H...-9P...P....O...N5..:ih.z.+w.H...5......4.......~dD.........................................................................................5.....d..d~..~.d..d.......................................................................................5.......5.O......#e.p.G/O..!7...5.-....4............X....--..W4...~.4~.d..........................;.P...P...5.O......#e.p.G/O..!7...5.-...d~D............................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\mousePos.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):3546
                                                                  Entropy (8bit):4.231625396437484
                                                                  Encrypted:false
                                                                  SSDEEP:96:i5Y+RY+jRiNwDaNwD/bY+gY+aY+YY+hY+TY+AbY+LY+PY+keblLF2088fYs1zjY5:/fWcwDkwDc2kuFbbEjnS5qFh54A4n9Fq
                                                                  MD5:0318CC9E0622C5B324148657A809D5D9
                                                                  SHA1:DEB92A488FEB4F1F27084710BD0D62650337F7A6
                                                                  SHA-256:B28B8E5115EC094885C538BE969A937E47DA2D16A86E4CAA54179BACAF266FBA
                                                                  SHA-512:1FAF461A44A8CE80D4C0C30CDC26A76DF245848F288A1EE4E9FFB89E63AA620186D2E1486F2B3E795EC16450FEE728307F434430354A4E94E86854823349F08E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....Z...NPMS....B...NPNE.....NPE3.......UR....8...njl.?........NfO...n.#.....?.U.....?..?.......?.?g.... F..2..lw2...:..?.RR......?..g........?.`n0.......Q...?........?..g........?..?........`.l........S.T...#^.?..?.?.......?.g.`.l....].......R..Xd..`......`.`.......K}..}..........]....K...}.......K...P.W.D...W...g.....%.K...}...W...`.?.......`.g.........g........g........?g.........`.....K}.-..........................................................................R.........g.....p..A4.?.=.,f.!..........g.....p..A4.?.=.,f.!....?.....K}..}............................................................................................`.....K}.-..V...........................................................................................?........`.g.........g........g........?g.........`.....K}.e..........................................................................R.........g.....p..A4.?.=.,f.!..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.cameras.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):92602
                                                                  Entropy (8bit):4.218033991813995
                                                                  Encrypted:false
                                                                  SSDEEP:768:BcpDDw7VnShNDDSLrD8UkDDVnEhNDDSzlkDDjnQDDlkDDCntntnnmkDDuX/Bpr61:F7VnonQncntntn8Bpr6oCsjHM
                                                                  MD5:0CB99ADAB85F88734E0F360C7D090254
                                                                  SHA1:1B150FE2CF82133F491371C0682F197451DB1E99
                                                                  SHA-256:BA9E16E6CADFA515800C31A1D4361C9E19A9B26117A297A70830379A3A9A0035
                                                                  SHA-512:68FCFEADAB502286CC4B2F6AF29D4114FD0AC700B7D743F9EC8C942257EF9A50C64FC1FE781F9A4601E01135828385EE97FCCACE5218C0D338B4428C7B45ECCB
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....:i..NPMS....B...NPNE.....NPE3.......X1....m...d.G.....>...d.0.\.N......1...Xs+...+........+.......>........GA....0...11.......................d.....-..3M0...3.0.#.-...............l............G>.....nz....T..(.........+..........G>....1..|....)JvA0...L.+........L...#.0..30.....-......3.......y.......[.y..C.._......3.....#.0....y.3.0...................L.+...+........+.....s.....q...........q...........-.03..#...........................................................................1...+.......+.......s..............L.+...+........+.....s.....q...........q...........M03..#............................................................................1...+.......+.......s..............L.+..................s.....+........................0...0..30........................................................................1...+........>....L.R"2clQ....O(o...+........>....L.R"2clQ....O(o..L........0..#.-.f........................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.content.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):28659
                                                                  Entropy (8bit):4.351131418416251
                                                                  Encrypted:false
                                                                  SSDEEP:192:yJk9QBiACFl4riJKgECsY4NL2IJRf0I2Gb28YkvXVU4xUnUmmUVWPf3IEaQlLS40:MFUt2RlvWOjtGkvg8N70jl
                                                                  MD5:E8E868743D62FD630A3D3DE40F4562DC
                                                                  SHA1:26507522A12D7AEA24E0345FD381A524E01F227B
                                                                  SHA-256:0C6870ECD7736DE0D7972B30E457411C0217FDAB8536C1586C6B91763808E13A
                                                                  SHA-512:74F3342F86FF8A0879848D5D27637A42958333793B296C0A874E035A44FB71D3C52AAC5BF57393AFEE67E2E634C449FED6A30BC83137EC63F4F11E0D0583593F
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....so..NPMS....B...NPNE.....NPE3.......3.........x6%666..,..lf..%.....%6..~...~%6i%3...~...%.%....b...MxO.......%...3.....%...3.......%./.........J...%....`.%...3.......%..%3......../.x...j.l.F..r?...%.%3........%.../.x..K.#.z1..a.....E../..~....././...`..`........Q.=.......=..;...2...=...;.....o..,.o...........`...o.%.;......../.%3....../.....~........3...r.......3...R.....%.3...#....../........`..2...............................................................................~..........s..s..^...p.........~..........s..s..^...p....../.....~........3...r.......3...R.....%.3...#....../.........2................................................................................~..........s..s..^...p.........~..........s..s..^...p....../.....~........3...r.......3...R.....%.3...#....../.....;`%..`..............................................................................~..........s..s..^...p.........~..........s..s

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.diag.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):373527
                                                                  Entropy (8bit):6.825429230209495
                                                                  Encrypted:false
                                                                  SSDEEP:6144:17F5AND8v8nET888888888R83rX0S/khUIk2ApgfNMU9iUIbswFcaCyDcBvgZqqJ:x04b5R2YgICwaMc6uS3G61Gqa8
                                                                  MD5:22B2E5D7869B67E8424591047C2B08DA
                                                                  SHA1:CEB53B1A5AB9DC30EA486640FF314360987E7327
                                                                  SHA-256:4621450EEEE14C1ED9E1C633A64D855BBCBE34514B6FB80288959299B0C81951
                                                                  SHA-512:C132E2F6758036BFEC672168F24316090EDD557263F0B1C3F2E5584736C5C8C091202264808198526FF7131C20FBE971C340395B13450A0C14606289781DF073
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....= 0j.eeeReee#...z...aeee..~d..D...z.G.kz.0.beeebz..z.eeebeeez.zFaeee.3...f......e]..z.jj.eee..eez..F.eeeeeeez..#.eee.y..k....zk....yez..F.eeeeeeez..z.eeeeeee....aeee]........9.Y|....z.z.eeebeee.z.F....aeee.o......J.........-.beeee....-eee....e.eeeeeeeeeeeeeeeeeeeeeeeeebeeeeeeeeeeeeeee.eeeeeeeeeeeeeeeeeeeeeeebeeebeee...z.eeebeee...F..-Kbeeee...F.eee.eee...F.eeeeeee..zF.eeeeeee.....eee...eQ.eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...j...Kbeeeb...Faeee.-...@...>........Kbeeeb...Faeee.-...@...>.......-z.eeeg..k......eeeee.eee.eee]eee.eee.eee.eeeaeee.eee.eeeIeee.eee.eee+eeepeee.eee.eee.eee.eee.eee.eeefee..-..eee...egg..y..eeee.eeemeee.eee.eee.eee.eee.eeeCeee.eee.eee8eee.eee.eee.eee.eeeneee.eee.eee.eeeHeee.ee..-z.eee.eee..-Faeee....Lw...a..W....-..eee....z.;..keez..#.eee..<z;.gg<.yg..y..g<.g.ez..F.eeeeeeez..z.eeeeeee.zj.beeeb.z..-Faeee...y.D..g...$f..-..eee...k.F...e..)..y[.eeee..U..h..e

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.functions.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):127298
                                                                  Entropy (8bit):4.606264868880778
                                                                  Encrypted:false
                                                                  SSDEEP:1536:DFUOvq8GQ2bL5AzKuZ1PYvOhSgqwDix5NipbfuVnXal+LaryNdaA7gRTpCp9uNPP:qf1h83j
                                                                  MD5:591637EBFF1ABD7E24358C63D27C14B3
                                                                  SHA1:721B74CB7BFBC85324859D316A082470D214862D
                                                                  SHA-256:2143789B171DC58C5B0A88950B237E07E04EF8C7B0D715B662FC467958CD0908
                                                                  SHA-512:8C0545F721CF9F5342A4B628D8CBECE9EA73836F8E01132247AC1099AC3872142C16408EB39F14BABEF00C61F165DE079DE19A8990D928F6530078C54E550D11
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3..............k..}w}}}....:.....Aw"..m..V.w}.....w}Ew.....w.w\.....S......B.%...Y.w..........w.K\.......w.ok....K9..v.Y..wv.Y..O9.w.K\.......w.Mw.......KoK.......B..X.3f3C~.KwKw...b...KwK\KoK.....b....{UK.eg/....Ko.K...KoKo......v..96;9...O9..G.O.v.|...;........g.Y.v...........O........;........l.KoKw.....KoK\KK.g...KKK\.......KK.\.....KKw\.......KKKoQ........v..9..O!;..O9............................................................KKK.KKQg...KKK\.....,...m.M....U...KKQg...KKK\.....,...m.M....U...KK.w......Yv....;9...O9.....P...O...O...g...W..H............W..........G.."...i...e..lK...9.......!...g.KK.o......v..96;9...O9........v..9..O!;..O9....\.........l...9..s|.......}...g...Q...........6...;.....KK.w.......KoK\KK.g...KKK\.......KK.\.....KKw\.......KKKoQ.......v..O!;..O9.................................................................KKK.KKQg...KKK\......._..w(f.x$..2K

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.loaders.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):15510
                                                                  Entropy (8bit):4.69058393400296
                                                                  Encrypted:false
                                                                  SSDEEP:192:J1mpVMIymNmpQLSgsIjRHS8RUT7rxhGVOShXDjnMY0kAlti:JgaI8ZxEJhf2i
                                                                  MD5:871E003595257139A05BD5199539BD23
                                                                  SHA1:5712C28AA9FF2B9DFC0C2A664E0A56597A3D9190
                                                                  SHA-256:2E2909E3CB571605C900827A32191D42C0E150DEEAD5A9A133E33EB0A798FDE9
                                                                  SHA-512:09696BA59C3E0299FB93EAFD5B8F0283956B5A5CA4033B4CEA75802EC946C54D4DE6321B491EF6DECEE412B7F810BCD1CE8D285101FE18F1A01261DC17A9AD40
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....<..NPMS....B...NPNE.....NPE3......`>....,...K:..}... ....l.~J..}...Exi..}.>......}..}.......}.}. ...............]D}.........}..........}..K.....x..zl]..}z.]...x.}..........}.B}........... ..... ........1u|.}.}...*....}.... ...Fb>Jj..s..j(d@...t..........t....B.]9........... .......................................... ............yyyy...}...*.......t.............!................}..............&.]9tz......................................................................................... ...kt-.S6B.o................... ...kt-.S6B.o........t}....c)]z.9.&.]9.zc.......................................................................................t......B.]9..&.]9tz........................................................................................t}........t. ....= ....K.F....A..t...Gz..................0............................................................t. ...A^R.........Es..t.....q..z............0..........

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.measure.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):56749
                                                                  Entropy (8bit):4.330776665461213
                                                                  Encrypted:false
                                                                  SSDEEP:384:zFY5lVKlDtdH8wYY4SqCkiQrB+OPgHXwQdgHXxk/kiQrB+NgHXJgHXOOANDS3t1e:zFwnKGj6Aw3tzJkJDwvfHRtOrl/NP
                                                                  MD5:52758739A43A02C0029E0C68177BAA74
                                                                  SHA1:896D02F8598D92E3B64DEB7811C6E92A67B6FC52
                                                                  SHA-256:055C6EF1CAE03B337E955BED91676238B1E5442046109ADF2A712A7F102E63DE
                                                                  SHA-512:1FC9228954E17803560E6A152BFC84B1133DD1EC1125F038B51BEC61E5D2F695A8042E3854F0288EE3BD1F131CD7B4FC19BF050067F4A80E5276F0796ED4674E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....-...NPMS....B...NPNE.....NPE3.....8..."...@.................fy...n..)B.....!...!..."...!....\......+b.^..i^.._M.\.."....I...\?."........\D.(...?j..9]_..9._..j..\?."........\.".......?D?.....B.....D...d.R.6?.?."...!...?.?.?D?......#.*...0.E..t?D.?!....?D?D......._..9.......0...9....8.......Y...S.k...f.k.;.9......_.k....9._..?D?."......?D?.??..!....???.".......??..".......??..".......???D;.........._..9.................................................................???.??;.!...!???......q..o..b.O$r.??;.!...!???......q..o..b.O$r.??......_9.R*.._..9.T.<..z<..T<.a.<..5<...<.|J<...<...<...<...<..s<...<.|7<...<..u<..`<..4<..m<..H<...<??.D....._..9.........._..9..}<..v<...<.a.<..U<.I.<...<..|<...<..T<.I5<.=.<.|.<.T.<..1<...<..<...<..$<??.."..."...??.....O."uZN..:...~.'??.D;....._9.......\D.....;;y.._..y?j.._j..y...\?."........\.".......?...!...!?.??.....O."uZN..:...~.'??.D;....jR.......o...o.T.sW|AsW..o...o

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.mouse.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):35688
                                                                  Entropy (8bit):4.761308921758711
                                                                  Encrypted:false
                                                                  SSDEEP:768:xstxb4yJfR2j+TZngwLyljauLOLe81eqy1Wn2:xIx1FRW+JHelauLOVAvMn2
                                                                  MD5:A085674A474D1E73AF2808D1AC1B7B24
                                                                  SHA1:65DBBEA48E02ED34ABAF84F6C9F734675078E9AD
                                                                  SHA-256:C2DCF7BBD786FA6BB1E4976AD955D5230AAD4BFEBA03D74B03C1B4F58368E517
                                                                  SHA-512:205DA034F66278E3DAA0AE53360DE3A9D4706DC609E8AD04C8A6409E454657849FC7C6FD35C24FA31CCEC31F1A192B250FED6A4D6C919CFDDF4ECE10F176860B
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.......NPMS....B...NPNE.....NPE3.......3F8.......j.......t.........x...jf.R..3Np...p...8...p......t...eg._5.K..5...d....FF8...Dh......8..........j9............s.......8...........8..........t....um....A[Po'.3..8...r.........t.....`.`L.....3.'9.....p............s.....P..N.o.M.........M...........M.....#... .=... .........#.s... ..............8...r..........p........8.........N.8..........8...............0.....s.s.....0.#..............................................................F...p...p....t.....*...&.^u....!2...p...p....t.....*...&.^u....!2........v..P.0........![............R.....![.....Mk..p...Mk...............Z8..........r..P..."U......C6.........s.....P.k0.....s.s.....0.#........![.............r.t.r.r..........n[..n[..n[..n[..n[.....dd..!.....8...8.......t.....8....X/t..q........"..s.s..e......jO......#.............s.......8...........8........F.p...p.....t.....8....X/t..q...........0.#e........................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.notations.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):348928
                                                                  Entropy (8bit):4.654845576108764
                                                                  Encrypted:false
                                                                  SSDEEP:6144:2kXD3TdWMMLMMwMM5MM7MMjMMTMMzMM0MM3MDMMTMMTMMTMMDMMUMMMUMMsMMMLu:aMMLMMwMM5MM7MMjMMTMMzMM0MM3MDMq
                                                                  MD5:B6AAFC232558E5DE9AD20E540E81498A
                                                                  SHA1:BCEC6BC479DE06BD07B923535264426432E20481
                                                                  SHA-256:81C4AA5B6E952A2547D22AFF87A83C7BB7C81B9DE8CD564CE9493E5089A22E0F
                                                                  SHA-512:13A7BC969927E1E0EA168C1BB7902172E856CF34E01BF4A275DD2C649B2DD97FD1007E3666451D8F2FBD03E2B169AEDBF7FF00EC859F69733D4AE4ECE8A6A0EA
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....R..NPMS....B...NPNE.....NPE3.......n.m...<...."...........CC...@.4..,...n......._.m........6.......2Zr]."Prc..W.).6..m...Z~...6j.m........6.9...j>..{..z..{....>..6j.m........6..m.......j.j"....q.m.. ."....-M6\j.j.m.......j.j.j.j"....].cM[.......V.j./j.....j.j./........>........{.q....A........&.A...l.[....[..{..........[...A.{....j.j.m...-...j.j.jj/O.....jjj.m.......jj..m.......jj.m.......jjj....3{......>...................................................................jjj.jj.O.....jjj.....H/D4.N..UM27.wSjj.O.....jjj.....H/D4.N..UM27.wSjj/.z....{.3.>....>..w.(........h.=......w.(........ ............................z..................jj/.z...3{......>.........................w.(...............................(...(...(...(...(..........jj/.m.......j.j.jj/O.....jjj.m.......jj..m.......jj.m.......jjj....>....>..(.z.................................................................jjj.jj.O.....jjj.....H/D4.N..UM27.wSj

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.settings.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1659
                                                                  Entropy (8bit):5.495644385007888
                                                                  Encrypted:false
                                                                  SSDEEP:24:pF5aN2rBfyY72p+NPxA/Q4MX2Qwz2CJC6WD:trxyY6MNZsQ4MwzJRWD
                                                                  MD5:2C709FBC6D20AF7083DBD2009DDC3366
                                                                  SHA1:5085F128D99855F1A363D739B8B8E359199D4BBC
                                                                  SHA-256:5891367E8753135148AC617C201750EC6D973B5E0789399186CAD7F166A0FB4E
                                                                  SHA-512:F56836F4D3C3DFA94D51173572805FEC4472B15B6920F8A222886788A148AB3610242B302B60C197299AD6EBDB5367009E4BBD447A680E2134664A55BDE9B595
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......E..........R.T........ce.fs.tR...t.u.X.............................D..w..<T.._..)...............k............R....k.u....C.....u......k.....................k.kT..........@.P..*Zk.k.........k.k.k.kT.....en..GTv..q..f.k..k.....k.k.........=..uu...f...,.....7.........f.u.........U...}.........u...................u.k.k.........k.k.kk.......kkk.....*...kk..........kk..........kkk.......=..uu...f...................................................................kkk.kk.......kkk.....`.dn0:...2......kk.......kkk.....`.dn0:...2......kk..C...f....=.f.uu...f..H:.a.:..?:..W:..m:.#.:..H:.a.:...:...:...:...:..b:.~c:..M:...:.y.:...:...:...:.~.:kk..C...f....=.f.uu...f...:..:.F.:..:...:...:.#.:.#.:.y.:...:..m:..F:.a.:...:.#n:...:.a3:.F.:..+:...:../:kk..........k...........k.k.........k.k.k.k..............k...........kT.....s.X.G.[....y5...R..............k............R.........U...........k.....................R...........!...L

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.textfunctions.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):19803
                                                                  Entropy (8bit):5.105104426038507
                                                                  Encrypted:false
                                                                  SSDEEP:384:IWoLiZDUkzUQ3b2jv3sS5CxQL0x3iNu9EQQyNTeQvQ49:I2JLc5CmIkNiEQQyNTlIg
                                                                  MD5:7DFA34FE5D6CC2980C3BB6DC05634C60
                                                                  SHA1:DAE384FFB8FA4B8B43B600CF8C77D81BACAFC0D8
                                                                  SHA-256:15E3E772DB890E2905DB9BF5D5FC2BE12B518BE2AC3362DBC6B0E06ADF6BDF50
                                                                  SHA-512:031AD3FB89BFABC4FEF073C2A54B2FCE10CFDE3C0FF0C461166F9FC956D1D0509F7FFC211C5CE836EE6106EB8C7AEF368CF0AA8C592CAEBCB636816BBAAE1DB5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....L..NPMS....B...NPNE.....NPE3......$..E...}....Ye[.[[[.....a...Mg.y~...*..[......[..E..........._m..'9e..21.......E........d.E........Z.....dNk1....1..1.kL.N..d.E........g.E.......dZde....S..1Sn.....6.s3.d.d.E.....d.d.dZde.....8s.."(\s..kq.S.dZ.d...dZdZ....L.1.k..N.kL.NT..W.....M......1.T.k.....>.o........@...k.1.>.L.........k.dZd.E...E...dZd.dd.\...ddd.E......dd..E.......dd.E.......dddZ@...T1r...k1.L>1Z.V1..> 1..........................................................ddd.dd@\...ddd.........!.]g..m....:dd@\...ddd.........!.]g..m....:dd......T...1 Jk1.k..N.kL.NT.a.B.J.B...BDb.B.'.B.Y.B.J.B6..BF.Br..B.<.B.G.B...B.E.B.B...BB.Br..BDJ.B..dd.Z....T1r...k1.L>1Z.V1..> 1..Bl.B?..B..B.h.B...B...B?J.B.i.B.B.B.{.B.x.B?a.B..B..Bl..B?..B..B.i.B...dd..E......dd......[..N...@.T..@.F'dd.Z@...r.k............................................................................dd......[..N...@.T..@.F'dd.Z@... L.1.k..oB...k................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\shared.textureFunctions.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):232360
                                                                  Entropy (8bit):7.072400165375456
                                                                  Encrypted:false
                                                                  SSDEEP:3072:KRCF494CDDOgDqCFYIpHV5s24y0yqWgImekJ418e5Y0K33j0ErD:T6TDDOrIr5s7OgI2JiR5w3XrD
                                                                  MD5:8629EA6A8365F2868EC0BCE0EF318B35
                                                                  SHA1:E7798978E91302BED250A62D7A8A4E2CAA8A7AAF
                                                                  SHA-256:1EEAD096B66C3D06A2B0183D746032B7DB3EB10BB79328D81E49CC53027327EA
                                                                  SHA-512:E71BDBA3033883E88286D00AFD0C6105DA5A6C6795F47ADB895207A120E994C22DC27DF5BD36F100A94CDBB236650C6B23C5F411784A6DA2FCF563EB4F4DB024
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....(...NPMS....B...NPNE.....NPE3.....$.D........aui.iii.......z.....@.).iDg......i..................T.b3.~.u%.....t........$7....W.............9...W.N.......N.....W.....................W.Wu....W9:%.. .\.&>....W.W.....(...W.W.W.Wu.......T.......I.v.W..W.....W.W........N=..=.N........|...$.=...N...m.=...R."./.y."...N........"..=.....N.W.W.........W.W.WW.......WWW.....(...WWg.........WW..........WWW.........N=.....................................................................WWW.WW.......WWW.......c.,.....bE..2GWW.......WWW.......c.,.....bE..2GWW......'....oN.N=..=.N...............................................................................WW............N=.........................................................................................WW..........WW......i%..I........c.~WW..................................................................................WW..........l......E.SmWW.....=N..N=......................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\tracker.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):155913
                                                                  Entropy (8bit):3.366457289359004
                                                                  Encrypted:false
                                                                  SSDEEP:768:hc/upraAl9wYcSsxpbxXiw8oUltTaEQWH9:hc/upWAl9wzNXiw8HltTaEQWH9
                                                                  MD5:5CBA5525357D527EA72642DA768C2ACB
                                                                  SHA1:20F60CB188F4527D3271E36C93700BF40083D79B
                                                                  SHA-256:4CE7CC272857496446344D966AE766D11768D4824FF8E7BF7DEDD01A5BC0D2C1
                                                                  SHA-512:8CA0C63D1C2E4E33E7B3426957DD89448D9ECA574A3B3E4A4701B0D4536144C7740C4AF1FF714DEB28861EF4916B3FC78E3E8B42F12D7BC8F7945F61A69C5491
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....`..NPMS....B...NPNE.....NPE3.....3..(S..........F...i....lJ\.E}.......F..Pj...jF..FS...j...F.F.i.....'} .+.. ..]rAF.((S.......F.b.S.......F./....b...&:r..F&.r....F.b.S.......F..FS.......b/b.i...A.l.fFG.....;.^dbFbFS...j...bFb.b/b.i....]..IY..1..4W..b/.bj....b/b/......&r..&..P.%..~...&....3....N.........6.....K.....b..b.P..g....N.....b/bFS...w...b/b.bb..j...jbbb.S.......bbP.S.......bbF.S...j...bbb/a....../..........................................................................bbb(bba.j....bba.j....F.b.S.......F./......v.F.b.S.......F..FS.......(......&r..&"....r.5.N.(...i..........N....f.b/b.bb..j....bbb.S......bbP.S.......bbF.S.......bbb/a.....N...........................................................................bbb(bba.j....bba.j....bb.P].....Yh.......b/b.bb..j....bbb.S......bbP.S.......bbF.S.......bbb/a......r..........................................................................bbb(bba.j....bba.j....bb.P].......

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\transformgizmo.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):628101
                                                                  Entropy (8bit):4.616964779403252
                                                                  Encrypted:false
                                                                  SSDEEP:3072:ayoZ5lL5lLUlL5lLu7gQdnVmspqSVe0vWuclL5lLBm+:afZL7gynsspqSVe0g
                                                                  MD5:5DA207BCAC7020BCCA9B09AFF4FB5474
                                                                  SHA1:542CD3939D88FBF52FDAEE0BB0DA2AB185FBE35E
                                                                  SHA-256:CF5F463E3D1FEDB3F916E31CFF3CC1916901A8CB29025FA83D25788B9D6B39FF
                                                                  SHA-512:6252E355ABF5D31EC13E69FA4E0AB4906A8E81B2B4A0B850D36E4295531B35FB723EDED09713E5CF493901CC8A2D234903D60402AFFC526B0B5158A330799127
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....?..................a.....l.J.~.!..A.l...........4..........6.la...u|..h....h.!.Xo..6..........6Zl.........6......Z.,!.Ko.!..!o,.v...6Zl.........6..........Z.Z.a...4L...@..........Z.Z.........Z.ZlZ.Z.a......'...~......iZ..Z.....Z.Z......l.o.QKv......v.D.v...e...?.z.!.Q.,.....z.......C.V.......,.!.....o.....z...o.,.Z.Z...../...Z.ZlZZ.......ZZZl....M...ZZ.l........ZZ.l........ZZZ.....,.o.QKv........................................................................ZZZ.ZZ.......ZZZla......w..........`AZZ.......ZZZla......w..........`AZZ......,.o.QKv......v.....~.......u}......>...t...r...6>.....u"...r....t...cP..u...~....O...W..ck.....ZZ.......vl.o.QKv......v........JP............o...W.....#...s..r...........~....m...U...[..'...#..ZZ......M...ZZ.la.....`.HX=6.....n.*ZZ.......Q,o..!u.v,.v.B...CV...,!..o..z.o,v..iz!Q,.r.v.!.,.}.C...vrQ..v.z..Q...iz...oZZ.la....%.d...G}..3s.ZZ.......vf!'u.(.v}!.'C(.v,o,!.'V(Q.o.!

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\version.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6296
                                                                  Entropy (8bit):4.667622150929541
                                                                  Encrypted:false
                                                                  SSDEEP:192:E7EtK84vCrZ6YJwEak11DI/tGSrNB40FcuSAOaWGwNIAf/lB9pqLIqSdp:ESJR6gp
                                                                  MD5:FCB26A9D6A57EA7155645CAD58A6D5B7
                                                                  SHA1:256CBA5E535D629E696BEF0949239B3767DDFEC2
                                                                  SHA-256:7A2632EAF20B1A801801EFEFB3ECC5A9F0ADD8D8D7275ED77D5D467F866F3F34
                                                                  SHA-512:C0F310A7DC09E1DB0BFEE28A01C4F4B303D95C9A869E061F711908602FD0F1EB541F48F2C2025069EB264D8D6774609D3955A0F9526AC70B88B6C52E629AFA16
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.......%.k### ###@.."....###_.4?.zSE.|i.{M.i".%..###.".."k###.###"."..###...6.Gb.J.}.#."...k###Q.##".(.k#######"..@.###('8.{x.3."{..8..'#".(.k#######".."k#######(.(.###..:{.E..QL8g....("("k###.###("(.(.(.###....h..J.c.p..(.(.####(.(.###...{...'('x.##.#i#.#{#.#.#.#D#.#.#8#.#E#D#.#.#.#.#.#.#.#{#8#.#.#.#.#.#"#D#{#.#8#(.("k###.###(.(.((...####(((.k###.###((..k#######((".k###.###(((..###i.'..i...8#####################################################################(((.((...####((...####".(.k#######"..@A###...8#".(.k#######".."k#######...@7###.{8....."D{.8.{..{...m..#...%.###.....#{#.#D#.#m#(.(.((...####(((.k###.###((..k#######((".k###.###(((..###x...'.X.#######################################################################(((.((...####((...####".(.k#######"..@A###...8#".(.k#######".."k#######...%.###.....k##W.##.k##(.(.((...####(((.k###=###((..k#######((".k###=###(((..###.D.....{...'##########################################

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\base\xml.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6912
                                                                  Entropy (8bit):4.784487191933797
                                                                  Encrypted:false
                                                                  SSDEEP:96:vVocq1DNsV7g7sj5XIZKzDVkSxazIMjNxEZxRe3Q4DMBV9zRp:dWw4qXeaRxxazIMzEkAIMJ1p
                                                                  MD5:32BE2942914692455D32FA99D3F0003F
                                                                  SHA1:DB1094571340769DBB92A01429BF0FCB6F07CC6A
                                                                  SHA-256:DB175FBAEBB8CD9A69AAB56B4F577FE52EFD14A11F3C9F0DAAA85C9D76180770
                                                                  SHA-512:C2D3C7FF1032E0F0323C47527C802BCFF65CB49605AA431A5DDA75E987985FE128A6191DCBC26BDC399824B17BC6AD518CA01A55D00F3F5702C42BFAE04010F5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......Z...........3.E.EEE....')3(Q}...'..!,P..E.^j...j.E;....j......*............7.X(.................:*..........g.....:..(....(.(..O.....:*...................:g:.....I.....u...4.7.2A:.:....j...:.:*:g:........F.`...q....U$:gN:j....:g:gN...OS...5(.$.^...........l.......(.......t.........../.....:.*.:.^..."...(.........:g:....9...:g:*::N.j....:::*....9...::^*........::.*........:::gL....iiS...........................................................................:::.::L.j...j:::*....E7..#..L..QL}o.::L.j...j:::*....E7..#..L..QL}o.::N.....{5.....OT.(i................7.K........\..............o..S...S...\..N......::Ng.....iiS...OT.(i....>....{1..W...........v..........x....v1....{..o.....5.K...T.::N....9...::N*....E7..#..L..QL}o.::NgL.....5(...........................................................................::N*....E7..#..L..QL}o.::NgL.........(5.......................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels.lst

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):181176
                                                                  Entropy (8bit):2.562680201563505
                                                                  Encrypted:false
                                                                  SSDEEP:768:kPbIxFZ7qzjvwozTv9kWlFkvLgLAjsTQk0AN6tdvtAgcqc:k0xFxqj4i9RlaTgEjEQk0ywdvtCqc
                                                                  MD5:61CE6CE17D76AE611F9C3B55046D693B
                                                                  SHA1:F037277D1C5F2A4F574C690B7759261BDD2AE697
                                                                  SHA-256:991FB33DB0C66BBBC1A16271CC71F9C4A00DECB9FB5FB9531CBE831B5CB7362E
                                                                  SHA-512:DA93CFA982C8D428BB6D1660D35F69632141F0B4B0FD74EA9DE406CC91F7BACFDE059D5463A2A8F23E72FD2B5802B73BB6CAF95E643559FBCDCA6FC617C6F873
                                                                  Malicious:false
                                                                  Preview:CHEV....?...C1CC........CHTY....NotInEditor.....................................................................7.V.[..M.zH.!.....i...bC..v}........?...............C1FN....00560937-855B-4DF7-8B7A-48D321F7F819.dll............................................................................................................................................................................................................................CHTY....LightscapeLoader....................................................................._.O...o.^..XdR...H...H...=....?...............C1FN....01B9130B-5F18-4FE9-BD93-CE6F135E179D.dll............................................................................................................................................................................................................................CHTY....SocketString....................................................................B@X.x*.L..d7.._G.on'F.O.sH4O#......?...........<...C1FN....02584042-2A7

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\00560937-855B-4DF7-8B7A-48D321F7F819.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.387646869064487
                                                                  Encrypted:false
                                                                  SSDEEP:192:0JgJImm8hrKb/a+vWMQBOb3X7U6CkpbdscmpvCj:0JgJtfM8OjrU69xilC
                                                                  MD5:0E83DC5236ACA50F3A32BE1B44CC02CE
                                                                  SHA1:E38AFFE380E87DA575959CBB06522F5F949E68FF
                                                                  SHA-256:5512FA404F0590B3A8E511B82040430B419EB603DCC5695E0A77193DA2920A0F
                                                                  SHA-512:AE0610EE99D2897A798C3DC3796D24AB0BD084E09902B140D9359ED0EC18CA6437642CA44E0CE12C0FBAD323F209607A565CE3BD3334D076AC3934C3131895C0
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V)4..HZ^.HZ^.HZ^..$^.HZ^5.'^.HZ^5.7^.HZ^.G.^.HZ^5.!^.HZ^.H[^THZ^5.4^.HZ^5. ^.HZ^5."^.HZ^Rich.HZ^........................PE..L.....J...........!................z........ ...............................`......................................./..T....$..x............................P..T...................................8"..@............ ..,............................text............................... ..`.rdata....... ......................@..@.data...x....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04E1045F-0DCF-4FEA-89A6-A1B4EB85ECFA.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.640737032928187
                                                                  Encrypted:false
                                                                  SSDEEP:192:48qhaaWjheBfILzd12qnBljTWMQBOn3X7U6Ckpbc8rp+7ax:hqoaeRUKBUM8O3rU69gAg78
                                                                  MD5:6FBA93E01075C2217C750E0E10441C48
                                                                  SHA1:0798CE938E2345EDB12D6D5B323B037185932B44
                                                                  SHA-256:76B8F738C5B0AE676F7768AD67E0D586FD2F9B2296D34FDA56F5F27B9B5BA3BA
                                                                  SHA-512:F27F700CE69F32235E692015E21170CB75C8FE175D353C9C19AE4A106D369DE0250677271910ECB7D55D9FE6FD9A9094F5C7CE7C069875E07C29A58FA54065EF
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c..c..c..2...c.....c.....c..fl..c.....c..c...c.....c.....c.....c..Rich.c..........PE..L...k.J...........!......................... ...............................`......................................P0.......%..d............................P......................................."..@............ ..,............................text............................... ..`.rdata..R.... ......................@..@.data........@.......(..............@....reloc.......P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\04EB85EB-DA14-4E18-9F9C-A0EFF6837B00.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):5.961271078701175
                                                                  Encrypted:false
                                                                  SSDEEP:192:eY1NJFjaJFi1UwA7t+fXyXT1WbXPLKuHRYy8sC5gTWMQBOn3X7U6Ckpb58KYMps9:5jaJVkvyXTY/GcMt1M8O3rU69JDL
                                                                  MD5:87102A725781C286D590F2984A60E199
                                                                  SHA1:78D27BFF3A1400CBF45E56C4DB695C7C54EE512A
                                                                  SHA-256:541C226B50428530D54C189B858AD4FD8E1CAF3E8DF6D2C0DBD0F2D6B6AA8864
                                                                  SHA-512:914FB7402A33A0AE499FAFA5B78A0E4B7EE112FE3052CB4CB3586CEF25B0E8F5E0426F50211865C9427E6CB446B40BA935C0529D22E4C85A745C0366F1ED5FD5
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...g...g...g4g.g...g.e.g...g.e.g...g.e.g...g`..g...g...g..g.e.g...g.e.g...g.e.g...gRich...g........................PE..L...".J...........!..... ... ......**.......0...............................p.......................................B..!....5...............................`......................................h3..@............0..X............................text...k........ .................. ..`.rdata.......0.......$..............@..@.data........P.......:..............@....reloc..\....`.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060BCDDB-FC6B-4360-9E37-A7B42C6C4D23.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):30208
                                                                  Entropy (8bit):6.137011574214083
                                                                  Encrypted:false
                                                                  SSDEEP:768:EZYtcUPk/PnFfKY6OPh7sI+sOA7QGcg7ecznZ8e0/DhgXODbtExsd:gYtI/PnFfKY6OPxsI+sOA7QGcgScznZI
                                                                  MD5:F5E6C02951E0E56BB9FA860E455190B5
                                                                  SHA1:24A6D4BF8573C6768F7966F3558838544115136D
                                                                  SHA-256:B41F983F5065739C8809CA757060AF68F8FFD1A7D4B5EBD751B2977EA4A16AEB
                                                                  SHA-512:205629D46C331D5109ED8C536B034A4B218D5E752CFAD90993889376EC3C2F2B8B9274F7F521DE437D1FCA5760A8F66C884F84839B60855EC025417C688D5768
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.H...&...&...&.XX...&.?Z[...&.?ZK...&..{...&.?Z]...&...'.q.&.?ZH...&.?Z\...&.?Z^...&.Rich..&.........................PE..L.....J...........!.....@...6.......F.......P.......................................................................i.......[..P...............................X....................................V..@............P...............................text....>.......@.................. ..`.rdata...&...P...(...D..............@..@.data................l..............@....reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\060F2106-8CEF-4DC9-9E80-27D654FE2014.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.632545423334904
                                                                  Encrypted:false
                                                                  SSDEEP:192:GNy6csSdpj2MzNHQyF4FS3MU5Fcuvz9sHWMQBOb3X7U6CkpbTju4plKT:GNy6id5zNHQa4o3Mm+uvxjM8OjrU69/K
                                                                  MD5:1F89ECF465D7A2A318D5127014811A93
                                                                  SHA1:A2F0DCCF4209E68C1DCBF5CBC5C7E4F827B94265
                                                                  SHA-256:1269AE33B7FCE5D5C8AB909E8DC74BF82176641E6DAFE66E6A87B040C45B7308
                                                                  SHA-512:7B7CC0DEAEA329A862959027553302055F8C93C8B11F892B6E08887710D165CF039CCCC6420470AD5D45AFEF7B6DDC9F61FE4218ED9431F97CCB5C04DFED1FC4
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.~...-...-...-.T.-...-4V.-...-4V.-...-4V.-...-..-...-...-C..-4V.-...-4V.-...-4V.-...-Rich...-........PE..L.....J...........!................Q........ ...............................`.......................................0......\%..d............................P......................................."..@............ ..P............................text............................... ..`.rdata....... ......................@..@.data...P....@.......(..............@....reloc.......P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\09F292F7-25DB-49F7-A863-83DCD2ABC616.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20992
                                                                  Entropy (8bit):5.9859309017070315
                                                                  Encrypted:false
                                                                  SSDEEP:384:rpI+UaBt8MvxNqf7QHH8zoz7buT6BzCuB0tM8OjrU69xGEI:rDUaO7QK8bBuuObOjJGh
                                                                  MD5:90058AB5CED284EB5665483C21ADC46C
                                                                  SHA1:71085BFE0B046307A1F04C9774BD154470B33067
                                                                  SHA-256:7CB72E0762AD562425ADEDCE49CEE331555AFD4A0D51E88D093292585EF51AA6
                                                                  SHA-512:A4B5B78DDDE7D4748EE0F8FBF5A6B7338793E44845082BAF1814281DBBC5D2BF7651A63DA5AACC2C42F5A8B033FDA21AB77AC286E3A351F221F9D372895AF15F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M3..R...R...R......R.......R.......R...]...R.......R...R..ZR.......R.......R.......R..Rich.R..........PE..L.....J...........!.........$.......6.......@.......................................................................S..C....F..x............................p.......................................C..@............@..`............................text....,.......................... ..`.rdata.......@.......2..............@..@.data...|....`.......J..............@....reloc.......p.......L..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A1C3637-A047-4740-A761-1247CEF0E940.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):28672
                                                                  Entropy (8bit):6.050019707680197
                                                                  Encrypted:false
                                                                  SSDEEP:768:joSAC+PtwZo2Dg59ro7aUaY8cfiINSXODmXUCz:sXrPI1o9E7aUx8cfnNEOD+pz
                                                                  MD5:56D3DC7ED358AD0D1C38CE9131BD48D3
                                                                  SHA1:EBB58277773C316366AE6BA7D3A7088DDA732389
                                                                  SHA-256:BAE17EC9A85E542EDA03507F91C4FB3B5D6340C27CF49370526232DA4504D586
                                                                  SHA-512:44B03FE5FB6CB4088BB765FB405D563DC835B19E84D1249C0EF03B1A2A4918EFBA416DD92A00D0B6C36168478DE062BD0A177EF1758671769225029A981F038E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R+a0.J.c.J.c.J.c..qc.J.c1.rc.J.c1.bc.J.c.ERc.J.c1.tc.J.c.J.c.J.c1.ac.J.c1.uc.J.c1.wc.J.cRich.J.c................PE..L.....J...........!.....D...,...... K.......`.......................................................................v.......g..................................h...................................Xd..@............`...............................text...+B.......D.................. ..`.rdata.......`.......H..............@..@.data................f..............@....reloc...............h..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0A97F0FB-BE04-46CC-93C0-59465B4775F9.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):21504
                                                                  Entropy (8bit):5.9240482165858825
                                                                  Encrypted:false
                                                                  SSDEEP:192:6k+NUCqsoeuqfUIr5UcW/bXPZ2ORUcp0e+TWMQBOn3X7U6CkpbIvXBc9DjMDc9:n+NQDINULZ2mFM8O3rU69Uvx2ncc9
                                                                  MD5:09DCECE311682F6B4AC239E38907158A
                                                                  SHA1:5BCBD660C97490D00EAF914C73AE5206B5DD753D
                                                                  SHA-256:3FD6D16C687FD561312470125EC04DF00040663A598A3E6AAE3E404F9C7B5E2C
                                                                  SHA-512:1F3B12F25798F6250B64C68C992377FB0B4F4F6A17614D0AB254031A79C6DCBD1439E3615EE4AAF4B90614CA3044CFF3EDFC288F78999363F2831BBAAB7951CF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Atz...............j.....".i.....".y.......I.....".o.........C...".z.....".n.....".l.....Rich....................PE..L.....J...........!.....2...".......;.......P......................................................................._.......T..P...............................,....................................R..@............P..$............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...|....p.......J..............@....reloc...............L..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0CC1D8C2-57EB-4427-842F-BCD32F2FCCF3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.590708216842636
                                                                  Encrypted:false
                                                                  SSDEEP:192:UBmHlGlePf3x9WS08iJ+jTWMQBOn3X7U6CkpbivxpcU:UB+GE3xDfGM8O3rU69mpC
                                                                  MD5:73D7F28F5593470E4A6D33AF56021439
                                                                  SHA1:E480CCCB821F958C2EC94744C2A86378F423F7C5
                                                                  SHA-256:BF21D7C30EC4A9F5419F1A722DCC3CAE2399A6CAD53CD30E1D1D331ADD2C862C
                                                                  SHA-512:8C28F2DFA44106EAD47C367AFBF7DFFB9DF5D735906EDD28CF1D0626A66A50F618553A1DBDDB86EC4F3911B9E61859CAA638E469D9DD1EC702038DF209695F99
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............[.[.[yN.[.[.L.[.[.L.[...[-..[.[.L.[.[.[...[.L.[.[.L.[.[.L.[.[Rich.[........PE..L.....J...........!................j........ ...............................`......................................p0..W....$..d............................P......................................X"..@............ ..4............................text............................... ..`.rdata....... ......................@..@.data...x....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DE141BF-025D-4313-94AF-BE13150C6458.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.832497331995607
                                                                  Encrypted:false
                                                                  SSDEEP:384:J/YxE52AOC4KL2a8xxZBIM8OjrU69Rj/W:Jwi23DfxBIbOjJj/W
                                                                  MD5:6057D969B47993D2BFA9E671248443FF
                                                                  SHA1:F0865F0B4B6CE22799835B3F9FE4AE7FF39910EE
                                                                  SHA-256:4EF86973828194ACEB5221E9E354D061B537C0C364286976DDC3C2FCA68239B8
                                                                  SHA-512:2180B98FEBFA3C6CEE1AD21CC56395E3CADCB6F2FEC2B8C306823BAFA8AAC115A615E0F8D165BB42F9F42DB6C99D364992595E35CC6D93D83AA042BA6FA3B935
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.>g|.P4|.P4|.P4...4~.P4[.-4~.P4[.=4r.P4...4~.P4[.+4y.P4|.Q47.P4[.>4z.P4[.*4}.P4[.(4}.P4Rich|.P4................PE..L.....J...........!.........................0...............................p.......................................@.......5..P............................`......................................`2..@............0..8............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....reloc..\....`......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0DEA1FCC-A682-47D7-A525-DC288850A3BF.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.408499239262969
                                                                  Encrypted:false
                                                                  SSDEEP:192:U9Vxai9LlEv3WvWMQxO73X7U6Ckpbs7tD6:krc5M8ODrU69+tD6
                                                                  MD5:6EA3E25E7A6B3EDD8DA90E7220F98028
                                                                  SHA1:D9F0BFD4A0AD091F3FF2719E7B3D8F2A8C88E716
                                                                  SHA-256:80FA83DBFE63DD4CE6750EC85060F6BBA7887C71B6106C19083AEFA576E57080
                                                                  SHA-512:92DB0553056D58201E152A23C9F068EED764D9BD739C513CA0ED4E7802C7EA50D206C3131AB946977227D8B660FA9A225B1552942C90F39AE9BF20FE5F7FE113
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|..x/..x/..x/=H./..x/.J./..x/.J./..x/i.%/..x/.J./..x/..y/.x/i../..x/.J./..x/.J./..x/.J./..x/Rich..x/................PE..L...!.J...........!......................... ...............................`......................................./..}...|%..d............................P..P....................................#..@............ ...............................text...[........................... ..`.rdata..}.... ......................@..@.data...h....@.......(..............@....reloc.......P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\0E43F737-C7AA-491D-B3A5-C6B0D9DC6483.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):5.900523521536886
                                                                  Encrypted:false
                                                                  SSDEEP:384:4EpcASaIIe5asUR4keucLQkWrYM8OjrU69LlD:4G6vqmkjcLQkWrYbOjDl
                                                                  MD5:BC2377530F0C0321C5763C3AB3C303BE
                                                                  SHA1:46E4EC97780D2A852A4323C533AB1569F7388CA9
                                                                  SHA-256:70301DDCCDFC7435875B824DC70366106B35E3E268F9640CE33459DB087B9699
                                                                  SHA-512:4753146B381E278017AA9EDABB7358A9FB4A9F3C42C8D476150DA0DFFE1A72DA80D229F3E416A331D2E0F75BBFF2D498E6359F021F6F6C6FD50D9CA2819F6476
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.0.*.^.*.^.*.^..6 .+.^..43.$.^..4#.).^.....(.^..4%./.^.*._.B.^..40.".^..4$.+.^..4&.+.^.Rich*.^.................PE..L...R.J...........!..... ...0......j'.......0.......................................................................I.......:..P............................p.......................................4..@............0...............................text...{........ .................. ..`.rdata..."...0...$...$..............@..@.data........`.......H..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\10C20C0A-7A55-4084-8676-95E5699BCEC2.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):18944
                                                                  Entropy (8bit):6.005619860229566
                                                                  Encrypted:false
                                                                  SSDEEP:384:jdkl7ZqI2Ikw6sYAkryri2blX8DUWM8O3rU69qlli:js7gpI56sYARN8/bO3ill
                                                                  MD5:5D2BF1A734C9F67829C02A8CDAA3CC7D
                                                                  SHA1:ECC396B1E7F772ACBFF3AF8F5B548F5D18CE4A04
                                                                  SHA-256:0B3A91F78DB66D2DF4E53BEF373096477F8CCB070F11C188EEF0C8C4EBE60542
                                                                  SHA-512:D9613948A40140EF864DA3DD82E12CCB1FA522F0CD59BE09161E9DE5F17AF999381C7FE6C4F202EE7A0E4E657F2879BE94B07EB305D37DF11D197D2D604472F8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.b2..12..12..1.W.13..1.U.10..1.U.1<..1.U.16..1.17..12..1x..1.U.14..1.U.13..1.U.13..1Rich2..1........................PE..L...e.J...........!.....&...$......P0.......@.......................................................................P.......E..d............................p..4...................................XC..@............@..8............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data...`....`.......D..............@....reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11111111-1111-1111-1111-111111111111.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):9728
                                                                  Entropy (8bit):5.287703202098245
                                                                  Encrypted:false
                                                                  SSDEEP:192:gBqh/+6mcMtvO2MTlQwTnvWMQBOb3X7U6CkpbZa3pJ:gBqh/+ykWeGeM8OjrU691u
                                                                  MD5:E2FF8F6A8B9C55AC09F5EAFA1D6FB585
                                                                  SHA1:0840036A756C97BE9D62349546B3EC374FC21F1D
                                                                  SHA-256:C63998D0084012F1FC51C5C0EF7BD3206D20E66DF9D4549D2BAB2568B2EBA5B7
                                                                  SHA-512:1544F7D011E2B8475DE82BC948A8579E0506417550F1F254E090AE3494ED5DD77C0B5BA108F3E9C963C87E02DEC85843AE78E6292AA4160CCBB91A39685FAA3C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9y..W*..W*..W*.4)*..W*'6**..W*'6:*..W*...*..W*'6,*..W*..V*>.W*'69*..W*'6-*..W*'6/*..W*Rich..W*........PE..L.....J...........!......................... ...............................P.......................................-..:....$..P............................@.. ....................................!..@............ ...............................text............................... ..`.rdata..J.... ......................@..@.data...P....0....... ..............@....reloc..X....@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1118038E-554C-492C-8E03-928F76A7EEC0.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17920
                                                                  Entropy (8bit):5.903102171278866
                                                                  Encrypted:false
                                                                  SSDEEP:384:51vG4C253ZkUL9PXPG6MM8O3rU69+/6PU:7bLJPO6MbO3oQU
                                                                  MD5:CDB8336640DB3263628E35205D86BC0F
                                                                  SHA1:94C9FF0C7E7BFC858AD2DC3E43B32160AA3F4D4C
                                                                  SHA-256:3E89378B7FE5D0BD6F3DD853052D4F950DB10F93B26B6EDFCC9FEB2BC902AC45
                                                                  SHA-512:2BFB7932402368F4637E094351EE71386C213084ACD53C42D69E5685D0CDE869EF910D1055A8700F99DBA6AD7AD881581DC6D21CF107486E571BEDC144E6749F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k.~....k.....k.....k.....k.*d...k..k..k.....k.....k.....k.Rich.k.................PE..L...+.J...........!....."...$.......*.......@.......................................................................Q......<F..d............................p.......................................C..@............@..,............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data...d....`.......>..............@....reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\11737E4A-A69C-4946-9D48-E560F3F29A7B.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):5.726255914799562
                                                                  Encrypted:false
                                                                  SSDEEP:1536:eANcF0PPfThgvbeisZ7r+0OGEOj/XzrjG:eAuF0f0iisBTOGEOjfzrq
                                                                  MD5:6B92598C508C8C5E55454A9271F0CCCB
                                                                  SHA1:2327FEF5BDB77D62B5DFFD31F09384CCE5F43760
                                                                  SHA-256:952572DEC334DC8D9A55ECF823B47C4F1BC4B34DCE01999C4A3260D31A986A6B
                                                                  SHA-512:0FF1283961C81D95E952D84E88E381E7B2960CAA0D472D863D1D16EB3F16677BD53E036479F54CD830A08C4FA444D0A6FE6351751E0919AC652E37E5185831C1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:.TqT.TqT.TqT..*.VqT.s.).WqT.s.9.[qT.~..PqT.s./.QqT.TqU.6qT.~4.UqT.s.:.[qT.s...UqT.s.,.UqT.RichTqT.................PE..L...R.J...........!.........p......>........................................ ..........................................)%......d...................................................................X...@............................................text.............................. ..`.rdata..)I.......P..................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\122557DC-CABF-4806-AFA1-B0A0DD9C8C5F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.404491355784707
                                                                  Encrypted:false
                                                                  SSDEEP:192:1NkpN41yEgqo/+h9I5TWMQBOn3X7U6CkpbiQTp/Rm:16pO1yEM/+tM8O3rU69mA+
                                                                  MD5:492C8E5FF6CCA3EA7853141EE47A77B6
                                                                  SHA1:F91DF819D7E997BE4A6EC6AF15F4AF3737739158
                                                                  SHA-256:6D3857FA40C883D94E63D61B7749930FB5CBA82A59ECC0E009CF9B65721BE6C1
                                                                  SHA-512:6F9B05E425DC4EC9032C4FD5C65C349C932FC5E6A91D4BB1BC681A34055D28E5D6B9DA5D32921DC9F68A15B712C4853CBFE115B3F3EBBD435168B3F1A58762E6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DQ6y.0X*.0X*.0X*..&*.0X*'.%*.0X*'.5*.0X*.?.*.0X*'.#*.0X*.0Y*?0X*'.6*.0X*'."*.0X*'. *.0X*Rich.0X*........................PE..L.....J...........!......................... ...............................P.......................................-..]...l$..P............................@..d...................................("..@............ ...............................text...{........................... ..`.rdata....... ......................@..@.data...P....0.......$..............@....reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1352B30C-2B0C-411F-8791-2107E78FF8E3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.571079585997639
                                                                  Encrypted:false
                                                                  SSDEEP:192:r1z8wPF+gSVajBcBo0cBCcfIjy9Jy9W/iLiTWMQBOb3X7U6CkpbP7jY5Mvp9q:r58wPFqsNeoVQcB/cM8OjrU69j77u
                                                                  MD5:59D40D66B68A43215D174BE4315D6A46
                                                                  SHA1:6E19D3447809FDB90D11B452D5CF84A83A1B43E6
                                                                  SHA-256:3418DD7E60F0F1645F6A52D62A578A0687B0D2AF5D81F350A2B02B1585DAA4E3
                                                                  SHA-512:21009E339FD0204C7FD7FDF047025910E2CF09E9D284FF1F2569BF8E445BD658AEF20AF1EE626EBD06C0A70D89A159268A88CCCBE10DFEA724C2B56483205082
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.....bA..bA..bA.*.A..bA%(.A..bA%(.A..bA..?A..bA%(.A..bA..cAD.bA%(.A..bA%(.A..bA%(.A..bARich..bA................PE..L.....J...........!.........................0...............................p......................................0?.......4..x............................`......................................x2..@............0..,............................text............................... ..`.rdata.......0......................@..@.data...H....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\145D3B82-FDC2-4925-A66B-7DCFFF022A97.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.506071858412561
                                                                  Encrypted:false
                                                                  SSDEEP:192:T6zuTo0QkA9C6Y0N2UbRCr/TWMQBOn3X7U6CkpbCoPzOJ5tJj:CuTol9K0w2M8O3rU69GoiRx
                                                                  MD5:8226DD421AB38B8DA6B2B19BADBBD7F1
                                                                  SHA1:A6F72BB4B444B1B8472C7D16921FCC16E7AD57D7
                                                                  SHA-256:9F9F2EE9BAB833A88F1303FECF7091858E8F5713B86292C3FEE933AC69CC060D
                                                                  SHA-512:0C89320EDE8DB8C3E656246DFB1128AC4BE1B14F5D4AF6EC91ABED0696A888786C319958C6ABE47F2E1422E1904F4F87FD507C0ACEC48DF538E363ABD4D1F0CD
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........];xN<U+N<U+N<U+..++O<U+i.(+L<U+i.8+@<U+.3.+L<U+i..+K<U+N<T+.<U+i.;+H<U+i./+O<U+i.-+O<U+RichN<U+........PE..L.....J...........!......................... ...............................P..........................................K...|$..P............................@..h...................................8"..@............ ...............................text............................... ..`.rdata..[.... ......................@..@.data...P....0.......$..............@....reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\18F9C150-2530-4B16-9D95-D31ECC69425F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.823268572417025
                                                                  Encrypted:false
                                                                  SSDEEP:384:167KhHewq4NypSGbeEc2NM8O3rU69Mu9:167KiBFeEcqbO3ku
                                                                  MD5:C35675C43F78ECB8C4BD64C18803AC85
                                                                  SHA1:586BEE6BE14D7116031D932250DD7BECEA18BD68
                                                                  SHA-256:E44FFD4C6E4B2D1ACC51315307A94338575A9725E0A6D96D1212C992CAF993D2
                                                                  SHA-512:A08BDB854B707568247B8C0976A09B4A32A76778FC1777FE9AD509765A0D861039078C70EE1362C4CF89BB29F465C9E0D53F1C12BF15DF8970051C70B98BF069
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............L...L...L.~.L...L.|.L...L.|.L...L.|.L...LA..L...L...L..L.|.L...L.|.L...L.|.L...LRich...L........PE..L.....J...........!......... .......".......0...............................p.......................................@......<5..x............................`..,....................................2..@............0..@............................text............................... ..`.rdata..{....0......................@..@.data........P.......2..............@....reloc..|....`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\19FD5D1D-3F76-49D6-9C4F-44A29B304EC0.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.647118606917623
                                                                  Encrypted:false
                                                                  SSDEEP:192:fuxB/hejhy7+nnabCENSAqRdlZPdlkd1zGvWMQBOb3X7U6Akpd+S1PwPfL0ILeLy:qUi+nXPdLllIrzZM8OjrU6LOO
                                                                  MD5:5C44369BE21563EF22C9B4AAE521E7E2
                                                                  SHA1:D38357427EF040B445371E943C976EB73A6D8320
                                                                  SHA-256:9C38E2A8ADB5118986FA449CBE57E648869B0F342CB487B3127924B2D716E7BE
                                                                  SHA-512:F69D3FFC2F6809AA113E4FA51CC89AAA2AB629A74D4EC97F55EF92E404E1F977A09A3B57A59CE673C8CAD2224DB8630F4F1CE4750FBF6607C48B71CE03715B33
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.y...*...*...*.t.*...*'v.*...*'v.*...*..*...*'v.*...*...*G..*'v.*...*'v.*...*'v.*...*Rich...*........................PE..L...4.J...........!................(........0...............................p......................................P?......,5..P............................`.......................................2..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...P....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1ABC2216-3D9A-4B62-95CA-1ACA029F703E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.863113562294952
                                                                  Encrypted:false
                                                                  SSDEEP:192:gFtJT3uQ5dLZ+DIYWgfB1BXPctDXQVK7fUETWMQBOn3X7U6CkpbD5yfylOJklWl:gzJ55dsEYWsBnEBCM8O3rU69v5G/l
                                                                  MD5:E58753A61E054AED97C4D66323177070
                                                                  SHA1:81C27416975BCD2E407B5C70C1E38535C6EC0A3B
                                                                  SHA-256:BE36F28778211067621C97889B957B1BF361EAA7671481BEBC08814DAFE48A1A
                                                                  SHA-512:36DBE7D6981976A702D1168834D2805B331182C6493B5EABAEA20295B38F38688A7AD6F6B4475416C4E3772EE55BB4AA81F5321399F25A3EE353C6436DF4A9E9
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.^.).0.).0.).0...N.(.0...M.*.0...].&.0...m.-.0...K.,.0.).1.c.0...^./.0...J.(.0...H.(.0.Rich).0.........................PE..L...v.J...........!......... ....... .......0...............................p...................................... @..6...,5..d............................`.......................................2..@............0..8............................text............................... ..`.rdata..V....0......................@..@.data...d....P.......2..............@....reloc..X....`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B002068-B627-41F2-95CD-E45489A5142F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.47137536588699
                                                                  Encrypted:false
                                                                  SSDEEP:768:+JmLd2Xk+8gGHKwe2vu6zd41VAn1e/6+c2kUoMXODqA7Jwj:+JmLd2Xkzgye2u6zYAQcjUoiODqA7Y
                                                                  MD5:59611BD870CA02DCEFDE177B3772EC04
                                                                  SHA1:43B1978BA715CEF8D95474CC48A5760E52E9BCE3
                                                                  SHA-256:FA25B1677685C01B7E26AD419314DA7D0E138FFC05256085BE8FD6D128E6F14E
                                                                  SHA-512:A62C632C02BE2DFC0AC06E012273577DBEEB4D20803378136DB5FF9EBB18ED9D064F05F9DD4526E943789E9E1331FF483664CAE8C03B696382F4AA8184C8DBF2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...iy..iy..iy......hy..N...jy..N...fy..v..oy..N...`y..iy...y..N...ay..N...hy..N...hy..N...hy..Richiy..........PE..L.....J...........!.........p........................................................................................................H.......................,......................................@...............`............................text...K........................... ..`.rdata...6.......@..................@..@.data...............................@....rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B6063A5-A3B4-4025-B7A4-5BD4E1E2E7AA.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.525632561491188
                                                                  Encrypted:false
                                                                  SSDEEP:192:yMpo805C2MclPot95kC+GWMQBOb3X7U6CkpbT1CpwiP:yMpj05acMrZsM8OjrU69fYH
                                                                  MD5:3C81B7226524D1CBA6A7DFA5303EE2CC
                                                                  SHA1:A49BF7B79C803743CEEAD40B93E26207BA160AA0
                                                                  SHA-256:5CBCE8703B9DD6C5F8340EC09A68C589F872CCC3F4E37A9E63C187E2A3EBB19B
                                                                  SHA-512:9A79B470DAA0ED0880FC92A2CB57EA40A1363890428DA762DCABE8B878008648068764BA30D8F3FF397FCC0AAC743CCCC902A567E04FA5DD04D12A88EAEC4D55
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:.i.i.iyN.i.i.L.i.i.L.i...i-..i.i.L.i.i.i...i.L.i.i.L.i.i.L.i.iRich.i................PE..L...v.J...........!......... ......P........0...............................p......................................`A......|5..d............................`.......................................2..@............0..@............................text............................... ..`.rdata..C....0......................@..@.data...x....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1B91B38D-F453-4EC9-83C3-6FBB48B87A62.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):19456
                                                                  Entropy (8bit):5.98693822344368
                                                                  Encrypted:false
                                                                  SSDEEP:384:f4wqZKLq/aFHhwOzwFTQg2lR+ws+mJS/M8OjrU69arVCV1qzgvtsahtWeZleVnKO:f97sChfwFuH/bOjB
                                                                  MD5:801C4943BEC5C093D815831921386A1F
                                                                  SHA1:3CF627CC4581ABAF81D5F162E9FFB8F1CFC66680
                                                                  SHA-256:DADF5FBFD4BCC56CF661A5F39C074BB2CC36E7FF94F525AEDCB960142E63ADE3
                                                                  SHA-512:95403F08FC8B434FE7AFD6C06BDA52D825096AB49A8ED46F196D18F8E5F6567B3F3C4451434085D52C06DC8CC53CC6844C3869FB722740AFBAC44E3E1F1A88C9
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W?.6Q..6Q..6Q.$./..6Q...<..6Q...,..6Q.p9...6Q...*..6Q..6P..6Q.i.M..6Q...?..6Q...+..6Q...)..6Q.Rich.6Q.........PE..L.....J...........!....."...*.......*.......@......................................................................`W.......H..d............................p..|....................................E..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...\....`.......D..............@....reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\1DA5051C-C13B-4A3F-9EAB-7AA9C79FB8E0.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.509994795473386
                                                                  Encrypted:false
                                                                  SSDEEP:192:Axm0EScL/r9FPqCo263uNDHaTCz928WMQxO73X7U6Akpx52/7:EmnS8r9pPP6e5HaexuM8ODrU6LW7
                                                                  MD5:72C4FB40A3402BCB4A07BF23B24FDF1F
                                                                  SHA1:DAAECAE41F8FF65B94F6C5F962E9E100C5C24D51
                                                                  SHA-256:5C48D538508E282FA6A0A5F537D7849F67C6321D6FFE92429E4BB56588D41FBF
                                                                  SHA-512:DA101016A26EF69D6EFDA9EDECC1D9FD70755F42289E74DF2B81F7F80667DFCCA2B96169988DED229C38F4B95A005B86B3BE3DD956D7A87826DE25020C398767
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.r.6.r.6.r.k..7.r..i..5.r..i..8.r..i..2.r.../.=.r.6.s.P.r.....7.r..i..?.r..i..7.r..i..7.r.Rich6.r.........PE..L.....J...........!......... ......`........0...............................p.......................................>..r....4..d............................`..l...................................`2..@............0..(............................text............................... ..`.rdata..b....0......................@..@.data...p....P.......*..............@....reloc..X....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21A8923D-B908-4104-AE88-B6718D8A8678.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):49152
                                                                  Entropy (8bit):5.167152142515308
                                                                  Encrypted:false
                                                                  SSDEEP:768:8I0nre0K9KWN4zvkGS5LOqO3tP9xi7sbbOjUBsetyUo:snre0WizvkhOqO9FA4POjEsetyD
                                                                  MD5:5DF0A38E32B8B813DA57AE4F3AED2A65
                                                                  SHA1:2231480F4B84044DFBC32A5F297AE68BD70645F0
                                                                  SHA-256:19F4AB67D4873AA50D13AF0D3A64E49CEAD8B6310BD87EAE1034C25A882216FA
                                                                  SHA-512:DF62CA365E2D22C2522C3DEA27E4D7F916B13ADF72EB9B5048FE02FD6FFD31DC197478C3FF6B9EF3789BA09DF517FEE72063A52C582AA674B052CC656CD9C593
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v)t.2H.^2H.^2H.^..d^3H.^..g^0H.^..w^<H.^.GG^6H.^..a^5H.^2H.^gH.^..t^4H.^..`^3H.^..b^3H.^Rich2H.^................PE..L...g.J...........!.....`...P.......e.......p......................................................................`.......Ty..x...................................................................Xv..@............p..h............................text...[[.......`.................. ..`.rdata...(...p...0...p..............@..@.data...............................@....reloc..^...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\21B682FC-63BD-461C-A9EF-F533563AAD47.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.791054618853169
                                                                  Encrypted:false
                                                                  SSDEEP:192:VlciBnV59lRSOGmtrKotRCy4TWMQBOn3X7U6CkpbI8CGEL8ppS:VlcihPfQItr3TM8O3rU69U8Rb
                                                                  MD5:B6E0E3C886C5772E71E6C455FD2621FF
                                                                  SHA1:B04DB08355BC894A8E95E1C9476D55DFAC4180C4
                                                                  SHA-256:8F5DC6B8454F06231D44B7718ED312D294E9370B20D712ECD599620219E5A6FC
                                                                  SHA-512:8C51EBB77D53D9AABD187D86E1E4AF52EB621CCCEFE738BBC8AFD0B5D83945117BE8B2804F96219AD635B7DDCCA2633FE8956172AD58EF1A2202835C587EEE89
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:.i.i.iyN.i.i.L.i.i.L.i...i-..i.i.L.i.i.i...i.L.i.i.L.i.i.L.i.iRich.i................PE..L.....J...........!................Z........0...............................p...................................... A......,5..d............................`.......................................2..@............0..@............................text............................... ..`.rdata.......0......................@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22B59A05-4C3F-4936-862D-3656FB99C6F3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.61947147814341
                                                                  Encrypted:false
                                                                  SSDEEP:192:7PClkr72shXtLUckoTJ1WMQBOb3X7U6CkpbYxSuG1CDIgxT72JBjrhpj8+:7fRhJH7TWM8OjrU69E2
                                                                  MD5:F9C779396C893950212CE1BD5FF8097F
                                                                  SHA1:5ABF6ABDCDB4D0E3035EFC733ED277673211D7B6
                                                                  SHA-256:1640348938B77BF8A66FB2F251210D2F77F8343F18CAB959BC6F1F6606736E83
                                                                  SHA-512:500C2FF432E00F88A5DA1DFF6B6D9C5170B8D45D79982B127E64802F467752488CECAA952F3165FA87B3DF7FE77DBBD68514CA8B6CCB9FD9C1C5D617F67C892E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................yN....L.....L.....-......L..........L....L....L...Rich..................PE..L..._.J...........!......... ......0........0...............................p......................................@A..&...,5..d............................`.......................................2..@............0..H............................text...k........................... ..`.rdata..f....0......................@..@.data...x....P......................@....reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\22E1776C-E806-4FD0-BF53-92AD157F71FF.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15872
                                                                  Entropy (8bit):5.777940227094237
                                                                  Encrypted:false
                                                                  SSDEEP:384:6IkICZH4YUXCFFq/NfHy12M8O3rU69MQWTX:6Iid4YqC3gNfHy12bO3kvTX
                                                                  MD5:0330EC1C3F2FC62CF9C5AF7D0A2862B8
                                                                  SHA1:1E8834FE080650A12568EAFF6163EEF5BE003E5E
                                                                  SHA-256:602BB6C63B31927CEF473D8EDA5E3DD22AE6A0A80400CC7E5FBF9575A81F4DC7
                                                                  SHA-512:7CCE0A5A7CFCB5F7376E85F20859D1E773F2D239D845CC1CF550FDB29173BC41187202BF5D1CFF790C29F55E77549737AB0F10DC7873F2236D2490842CADA822
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.P.%d>.%d>.%d>..@.$d>...C.&d>...S.*d>..kc.'d>...E."d>.%d?.rd>...P.#d>...D.$d>...F.$d>.Rich%d>.........PE..L...g.J...........!.........$.......".......0...............................p......................................pC.......5..d............................`..8...................................03..@............0..l............................text............................... ..`.rdata.......0......................@..@.data...t....P.......8..............@....reloc.......`.......:..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2346A6DF-5942-4CB5-9908-E59CEC72841F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):28672
                                                                  Entropy (8bit):6.027646336176398
                                                                  Encrypted:false
                                                                  SSDEEP:384:IHqlU17nE5EqpzfcUsy1yUXQLjDQps7yYvUknOLK+V/cAhpxrM8OjrU69Q5BBYrI:rESzdsyIQSyYvU6FAhLbOjGcECW
                                                                  MD5:74BB4AA51F18BD5CE29BE819061C3799
                                                                  SHA1:6B60D9B6B975B8808576353EAF31639CCE447AC8
                                                                  SHA-256:1B4219825FA4CCBE0DF31BEA130A02CA3E4C1BA0AEDA323163AEEABC15E36679
                                                                  SHA-512:4C5361279A54AB70C9BC225F9CC3F76D93A3A54C4CA9E5E9DD6E03BD3E75726C9899451924FD273D4255DA1ED1C642685124CECCED0CAADB76A76F3EECA9FD29
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........O...O...O..Z....O......O......O...@...O......O...O..O......O......O......O..Rich.O..........................PE..L...#.J...........!.....:...6.......?.......P.......................................................................k.......]..d...............................,....................................U..@............P...............................text....8.......:.................. ..`.rdata..m'...P...(...>..............@..@.data...h............f..............@....reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2690162E-A224-4267-AE70-413D8C0912A8.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.406956505008539
                                                                  Encrypted:false
                                                                  SSDEEP:192:gAzA0a/r8JLg32+EN3vWMQBOb3X7U6CkpbBKIpvY:gAzAsJOtENOM8OjrU69N1l
                                                                  MD5:A5C43DDB183EA33D8802A90EBCDDDEEA
                                                                  SHA1:F904155114DE6623611E24D64B2AD5E73B0C8B2D
                                                                  SHA-256:9EBF1BC7DA3D53B16D85A1E356B286D7EFA643A73E012AF0B0A09BD124E343C8
                                                                  SHA-512:A6A51D1514FAA0104B015DD216C8D028C477A08F44F94CF5BFFB4CCB4AEEE56C7A24F06553864A8DF3F8D19431DD325AA824BD3D5261B55D68BCEBF40D1A81F5
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N.. ]. ]. ]S.^]. ].}]]. ].}M]. ]..}].. ].}[]. ].!].. ].}N]. ].}Z]. ].}X]. ]Rich. ]........PE..L.....J...........!......................... ...............................`...............................................$..x............................P..P...................................."..@............ ...............................text...[........................... ..`.rdata....... ......................@..@.data...x....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2A4F38AA-1942-4466-A306-0B85AB327BBB.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):421888
                                                                  Entropy (8bit):4.976546971847079
                                                                  Encrypted:false
                                                                  SSDEEP:3072:b7TZayCLZWLp7zSxnjZrCcUiJWc7edg5cEFOUDtcX0xi+SAvblrgaVtdDt7Ojsme:3NayCoqja2edg5cxWi+V5B7Ojsme
                                                                  MD5:4E526108929F726A77602393A7C2EF8D
                                                                  SHA1:D65338075D91D796E2EAF152C30735329272B927
                                                                  SHA-256:CBD9665065D5942CDE4EE0743909BC0CE9E077DA5E8ED83ABA6F6775CC9291AA
                                                                  SHA-512:437594FADC33E087970468956FE1A517DE3B64818B92E7363028A81AFE40E6FE97B667EC144494349496B0250B8FFA8709F1D6A17FD4D05F92FEB929C75FC300
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4x\ p.2sp.2sp.2s..os`.2s..Rsr.2sp.3sh.2sW.Isy.2s..Lsq.2sW._s..2sW.Osu.2sW.\s|.2sW.Hsq.2sW.Jsq.2sRichp.2s........................PE..L......J...........!.....0...P.......}.......@.......................................................................x.......d..................................H...................................8[..@............@...............................text...*........0.................. ..`.rdata...>...@...@...@..............@..@.data...X/..........................@....reloc..|...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2B10BAE4-83A1-41F5-87CD-EB69473D6538.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16896
                                                                  Entropy (8bit):5.870437523820119
                                                                  Encrypted:false
                                                                  SSDEEP:192:bcFLJjhdYGvD16cUgNYSJ58iPxzfwLvWMQBOb3X7U6Ckpb4aQGmf7SN:bcFNhv1xUgN95F5M8OjrU69kaFmu
                                                                  MD5:4E3B54766162502AB8D374698ECDF996
                                                                  SHA1:CD50EC85B50C18D5DAFF5D4F44FDE30FF45438C7
                                                                  SHA-256:6B4F03846206F8459A1ED1AC34150723A5953925E88726FED8EF9A75C91E69A5
                                                                  SHA-512:F8344412AC34F408E1333762EA52F078CC71A29902AB5C5D6AE3D93E5BCA61FCF1758381802236D7495F4CBFEFBC2C02802E99E695FFE74FD299C1221B945AF8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]=~N<S-N<S-N<S-..--O<S-i..-L<S-i.>-@<S-.3.-L<S-i.(-K<S-N<R-.<S-i.=-H<S-i.)-O<S-i.+-O<S-RichN<S-........PE..L.....J...........!..... ..."......J).......0...............................p......................................`A......<6..P............................`.......................................3..@............0..0............................text............ .................. ..`.rdata..5....0.......$..............@..@.data...X....P.......<..............@....reloc.......`.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2C71A155-C5F7-4F48-A548-0CAD5A323CA1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):6.109555277846487
                                                                  Encrypted:false
                                                                  SSDEEP:384:70vC74VdscXWoyynQ4IgAMjrjxxbSM8OjrU69Hohv:77iXlyynNNjrjubOjvoN
                                                                  MD5:CB683603C106E109DD92C4B691C55A38
                                                                  SHA1:58F1DD9181973A0507D131A34BC5317FB1C8AE76
                                                                  SHA-256:A55BE182B06C77ECF295BB96812D37788D1FCB689F347FC46D6DDE72DA7D3837
                                                                  SHA-512:99F8730B90E22DE5EA84A5159E027AB5B880D162F123C8222A3B6EEB1A10EBBEAE813DC81A1C4FFDADF09A4409812058A1047D09339C2588B70140BA20B80751
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d...P..P..P{ZtP..P.XgP..P.XwP..P/.WP..P.XqP..P..P...P.XdP..P.XpP..P.XrP..PRich..P........................PE..L...Q.J...........!.....&...*......./.......@.......................................................................W..#....I..P............................p.......................................E..@............@...............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data........`.......H..............@....reloc.......p.......J..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2DFC141F-B06C-47B3-B7F9-2ABFB08C190E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):19456
                                                                  Entropy (8bit):5.913625087221902
                                                                  Encrypted:false
                                                                  SSDEEP:192:eQ7V/8ECgVUI9BrIqd62Qkfs6xg0v9Z+Xs2X0rTWMQBOn3X7U6Ckpb/6xQTIpPjD:ei/OgFIT2VBvzFKM8O3rU69YQTIhjD
                                                                  MD5:EB9CF423786A15AC828912DA2DDAFCFE
                                                                  SHA1:5DF1FF41CEA0A74211842075F4AD6CADFC241762
                                                                  SHA-256:7B9F1BE45A6179632615310E52F072D84F15D4EE5A8BE815277DABCD40146360
                                                                  SHA-512:D2BC9DCF3391CF6F6C3191694436604EDE67EE424C7D513E679E176CA6C49B1C2E34CAC4E9E49F8509295A23CDB410F6B0ACCC718E20FCB7119FDE9A6574098E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+..kE..kE..kE.~.;..kE..8..kE..(..kE..>..kE.*d...kE..kD..kE..+..kE..?..kE..=..kE.Rich.kE.................PE..L.....J...........!.....&...&......</.......@.......................................................................Q.......F..d............................p......................................0D..@............@..4............................text...;%.......&.................. ..`.rdata..u....@.......*..............@..@.data...l....`.......D..............@....reloc..:....p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2E96F5B2-11F5-42D0-84A2-353DDC3609FC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36864
                                                                  Entropy (8bit):4.606142536866133
                                                                  Encrypted:false
                                                                  SSDEEP:384:iraUkdNZ77QfzPk8C4hyeE0XuTcgj2wM8ODrU6LPr8cv:iraUkdNZfWQX4hdE02Rj2wXOD1r8cv
                                                                  MD5:EC0827366C5A6F7B37A9958160229EFB
                                                                  SHA1:E55DBFA45E300FDD71E351705CE1EED5783A507D
                                                                  SHA-256:B9A5522DE84CC6D9531EC02D25526D228DB4033164B170E1DD5A5EE9282AD9CC
                                                                  SHA-512:D6A1CC02EDEB025FF0F45520ABA119120568C5737FA6EA674B298DAB2600B448C7DC27571D989CCFA30BFE39792BC659638519977F839C73E71F44F482AC061D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..............]......8_......8_.............8_.................k..........8_......8_......8_......Rich............................PE..L.....J...........!.....@...@......P=.......P......................................................................`g.......Y..d...............................(....................................V..@............P...............................text...K4.......@.................. ..`.rdata.......P... ...P..............@..@.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EAD7434-29D5-4CA1-9700-B6A770FBD7F7.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):6.127757585206346
                                                                  Encrypted:false
                                                                  SSDEEP:768:AsOx5JuDTKHvZLXxLQWhXmh8bOj9F7MRv:lOb+ilQIXY+Ojb7MR
                                                                  MD5:1BE6B4E1C2101504E053DADB4761759D
                                                                  SHA1:8BC5DC57EF57A53818A714841A52577FC7DCF70F
                                                                  SHA-256:4FBB5B3B0F0C6DC5486B4D3D5D3F268D2CE2DFA6630B01F15BBC78338749D8F5
                                                                  SHA-512:702C944A1B7E3A1FCDF55BF58EDCAD1015BFC0B4CC889857CED3886FD4097B0C6757BCF86DCE67954941F83E5E328039C56BD4F58FD438A51AA51A526B959C6B
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]|`.]|`.]|`....\|`.z...^|`.z...R|`.z...[|`.s=.Z|`.]|a..|`.z...[|`.z...\|`.z...\|`.Rich]|`.................PE..L...t.J...........!.....J...(.......R.......`......................................................................Ps.......f.......................................................................c..@............`..`............................text....I.......J.................. ..`.rdata..I....`.......N..............@..@.data...|............h..............@....reloc...............j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2EE7E3C5-5969-4117-A8A4-074D7C9986E3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23040
                                                                  Entropy (8bit):5.962097892516513
                                                                  Encrypted:false
                                                                  SSDEEP:384:QUMbMeN8HAw+/CERk833VJyM8OjrU69OzqTT7X4RhBFn:QpN8gfqy3VYbOjWIT7X4RJ
                                                                  MD5:010581F66A6F79E94E78517DBC404DEE
                                                                  SHA1:CA34BE6306839C9DE3ACA9E3F64D799FA742A7E5
                                                                  SHA-256:DB178B3D562AC466B2603B2621E371942E3A81B6B5AB17E54BFF482A10BC1D78
                                                                  SHA-512:5F0B1175DE7FF7D890F2A44B06345913AB0DF69852498BDFE5C48BE3876309FEA5CBCE67AEC8811D2F6A753171A91C0F776BF19B7EE7881C327F8AC78644F24A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4..g..g..gug.g..g.e.g..g.e.g..g.e.g..g!..g..g..g...g.e.g..g.e.g..g.e.g..gRich..g................PE..L.....J...........!.....0...*.......8.......@.......................................................................S......lF...............................p..T....................................C..@............@..p............................text............0.................. ..`.rdata..A....@.......4..............@..@.data...x....`.......R..............@....reloc.......p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\2F605354-314D-4775-86E4-1F733550B227.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.649630896224565
                                                                  Encrypted:false
                                                                  SSDEEP:192:/ZLhHXivjsVe/6vjAzG8B8WMQBOn3X7U6Ckpb+Uz73Jgzi:/ZLhHX4YeI0zBnM8O3rU69KO3eO
                                                                  MD5:1EA55C9BE954D08D7F17ED4DAC5F4BD3
                                                                  SHA1:6CD249063C751571250AA09A744D07520184FF53
                                                                  SHA-256:D31855F1D820469B0608BD308BA744C426F6BD8F05C07D45FF4C423E1CEB4630
                                                                  SHA-512:8C74B35068410C33E6790363E3082581E6F9D1CAA6BEB66D9ACCA7BD9AC2D59D6168EC69C7BF254F7FEDABE9E2347A60925CE82A115D0EE33B6903C1A0426CCD
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<c+N<c+N<c+...+O<c+i..+L<c+i..+@<c+.3>+L<c+i..+K<c+N<b+.<c+i..+H<c+i..+O<c+i..+O<c+RichN<c+................PE..L...e.J...........!......................... ...............................`..............................................|$..P............................P..@...................................8"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....@.......$..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3090BC3C-E6B0-4CFA-8D3E-14D988A17828.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):372736
                                                                  Entropy (8bit):5.414685736332277
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AzGb3rG+yh2RIt/ueW9EkVVkuJbUGQfyLhe78WXOLjJmePysWpOAEl:Xb3a+yhwEkVhQz1XORmcyDE
                                                                  MD5:12D038B3456E32CB8FC4B467E7B9E7C4
                                                                  SHA1:DC22F56BBEE60BE728530CA2718E6B503F21A79C
                                                                  SHA-256:42032B190C2E0F9F6B8AA8764EBB1937C1FA32AD8061CD8F77FB671E2003AE0F
                                                                  SHA-512:E76C8238581538AB116257525038ECB0F2CA2BAFAAA0AC96FD717DC834388A4BC8C1E9FEF60093663BEB3AFEA2281BCB392BE766F523B19F773F3FE16F77876B
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..k...k...k.......k.......k.......k.......k.z.4...k.z.6...k...j.o.k.......k.......k.......k.......k.Rich..k.........................PE..L.....J...........!......... ..........................................................................................2....0.......p..)........................'..................................h...@............6...............................text...}v.......................... ..`.rdata.."...........................@..@.data...L.... ....... ..............@....idata...2...0...@...0..............@....rsrc...)....p.......p..............@..@.reloc...,.......0..................@..B........................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\30FD388D-99F9-41D2-8854-FF78FBA9A0D4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):22016
                                                                  Entropy (8bit):6.053783585795279
                                                                  Encrypted:false
                                                                  SSDEEP:384:/YrDtO5Exrnzge83MOiYyrmoAyx4M8OjrU69enE/N9:/YrZO5Et/pkyrmoABbOj2nEV
                                                                  MD5:7E439E4F03794411786656C65F532283
                                                                  SHA1:031AD22BA20810559E0C8FA2538C26B99302BDD7
                                                                  SHA-256:7B23822DFCC002373A49792AD55D32543B6E322A7C23EA9A7886E9F5CFC7A024
                                                                  SHA-512:7BAA9351433E3AB9B9FD690B50BF045A3247B1C68CC97140FC5B84AF84EFC325924D98140E4D4B70C827C88F65639EB8E66FF0FE87E63F4C45C49AE8F0D1BF1F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jzf....D...D...D..vD...D).eD...D).uD...D..UD...D).sD...D..UD...D...D}..D).fD...D).rD...D).pD...DRich...D........................PE..L...c.J...........!.....(...........2.......@.......................................................................Y..a....K..................................H...................................0H..@............@...............................text....'.......(.................. ..`.rdata..! ...@..."...,..............@..@.data...x....p.......N..............@....reloc...............P..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3164909D-47F3-43EF-8DF8-E8E95E8E22ED.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):6.119246618281629
                                                                  Encrypted:false
                                                                  SSDEEP:384:wuaOaE69sm+uGM9OWA2PibZVVwwhfUe4M8OjrU69zWkF:wucEq8MDPibZVVwwhfU7bOjbWk
                                                                  MD5:6E16309F04A955F310DBFBF1046F44C5
                                                                  SHA1:3E7A1991F989D584242CDC34937C370A2E8DC439
                                                                  SHA-256:D866D18B90FC90FBE4DF382B9AC5521421E4477A99BEDBC5374295EB07150A33
                                                                  SHA-512:7702E18437D0F594A0599B5B5F879262EE6F55A1CA6F4C2E15502F94C8B9522A1B324B2E7BD5B7EF4FE3F208E694CC64FB1D66FAB06BB350C481A5F4BEE1626F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#}..g.z.g.z.g.z.....e.z.@...d.z.@...h.z.@...a.z...'.b.z.g.{...z.@...a.z.@...f.z.@...f.z.Richg.z.................PE..L...t.J...........!.....4...(......H<.......P.......................................................................e..`....V..x...............................X....................................S..@............P...............................text....2.......4.................. ..`.rdata..0....P.......8..............@..@.data...|....p.......T..............@....reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3237CF29-DB73-47D8-B4B9-A6CE2E1E60F1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29696
                                                                  Entropy (8bit):6.0465887039909685
                                                                  Encrypted:false
                                                                  SSDEEP:384:OktGhPVukHZWMV3TEm/rACiyCggbfieH8TzjjqvpSkKmeN/0cUlrM8O3rU69ediZ:OYXMBI6TzjjsJIN8cUBbO3mAz
                                                                  MD5:9EC410E215ACB84409DCCA7EAF7B5C8C
                                                                  SHA1:F63E5591F318A24C820FA9CB2BFC4170D1B24E86
                                                                  SHA-256:75C6BB79A28E99863ACC0C391B7C6E973878FE0FA0CFB5501AEF7BBF2D348626
                                                                  SHA-512:16E8C344EF7D30478E923B0B17E13044988A3CF02EE66DFE91A23A159DDA434DA5E321FC24F0B009FB6D46532E6EA94C48D05A6A0D6333F3943DB30C373A7542
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Y...Y...YaN.Y...Y.L.Y.Y.L.Y...Y5..Y.Y.L.Y.Y...Y...Y.L.Y...Y.L.Y...Y.L.Y...YRich...Y........................PE..L...i.J...........!.....B...2.......J.......`.......................................................................u..,....g..d...................................................................0e..@............`..\............................text....@.......B.................. ..`.rdata...%...`...&...F..............@..@.data................l..............@....reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\338BF88C-5F15-408F-8DC2-614E31D333B2.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):5.610441113897966
                                                                  Encrypted:false
                                                                  SSDEEP:768:6xB21Cc4mAnBLxTUDLJeLPlxjxzP6ozXbOjNwc5vDGKZrl6CUbMKW+:uuxQnBu4jjxzxLOj9EbMKW+
                                                                  MD5:1516F9BD773370F9D0C2E88C277F8EA5
                                                                  SHA1:27CD56EB126514FFAD3BF1A29E2EDC0774081A52
                                                                  SHA-256:9E366B0AC42C8477E8AFC843B19A3AFD7CAD5203E386B94D703D0E48AC342C14
                                                                  SHA-512:C7794EE0219BC0541FB95EB6B97BDB88DAA0345574BBF40C02EAF9EE42028A4B2FE694AB5902564EF9C4CF880EA27AA123F6D34772BE051747BD64937B9E772C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.^.).0.).0.).0..&N.(.0..$M.*.0..$].&.0...m.-.0..$K.,.0.).1.u.0..$^./.0..$J.(.0..$H.(.0.Rich).0.........................PE..L.....J...........!.........p..........................................................................................t7.....d.......................................................................@............................................text...K}.......................... ..`.rdata...O.......P..................@..@.data...l...........................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3423DAD4-77ED-4B4C-9F00-59CB533388C6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.6529446075254315
                                                                  Encrypted:false
                                                                  SSDEEP:192:FryJPxyBwT4ys4fmjPQaIi+n+/TWMQBOn3X7U6Ckpbjf3+pSwC:Fr8Zy2T84ujPN+5M8O3rU69XfO7C
                                                                  MD5:DAA0FD2D89AB6BF1F69AAACF387C576A
                                                                  SHA1:52AEAE0BF665C91E6EE4CBF44B4857AC6782A261
                                                                  SHA-256:2D238A9A126956B03B01E61D8ED84554D8061E2ECAAC8A74D5EF4C6723CD6722
                                                                  SHA-512:F9BDA6B290D00856A9D0FB4F44B175E2D8CED5804DCDD60F6297727DC276C8FA6C90C4BA435DB40FD7E1D4011FEF1CD0B008903C402A397D1DF377579632B0D2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.1y.._*.._*.._*.t!*.._*'v"*.._*'v2*.._*..*.._*'v$*.._*..^*C._*'v1*.._*'v%*.._*'v'*.._*Rich.._*........................PE..L...f.J...........!.........................0...............................p.......................................?.......4..P............................`.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...X....P.......(..............@....reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3521B4CA-AE38-4009-8FF9-D18505384F69.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.481728547705117
                                                                  Encrypted:false
                                                                  SSDEEP:192:tEvxGH1K4et819U12qvWMQBOb3X7U6CkpbE7Upb:tkeKm19nFM8OjrU69Y4J
                                                                  MD5:E3C817F13A6257974318E7289902B3C4
                                                                  SHA1:0342A06BF2310BA01FF97EDE76BEA52D19EC7466
                                                                  SHA-256:75456FD19F34BA4D670CF38565E98E97BF9FD1DF11BF7765337F8C3FE1A38812
                                                                  SHA-512:6CB5409873999E1D5595DF614FB7F5D71867460A154B9721FA4B21698834D12E156C6F86257F8588DBB49518991CF3D0FCC2F9D5F3BE8756BC86348516785833
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V)4..HZ^.HZ^.HZ^..$^.HZ^5.'^.HZ^5.7^.HZ^.G.^.HZ^5.!^.HZ^.H[^THZ^5.4^.HZ^5. ^.HZ^5."^.HZ^Rich.HZ^........................PE..L.....J...........!......................... ...............................`......................................./.......$..x............................P..X...................................H"..@............ ..,............................text............................... ..`.rdata..@.... ......................@..@.data...x....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\376A9C13-8D66-49EC-BAE5-D59BE13BC519.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15872
                                                                  Entropy (8bit):5.929564519961956
                                                                  Encrypted:false
                                                                  SSDEEP:384:OiTrkWZETWx0BpCkJBDYAQM8O3rU699wNQi:OiTrFZ/xCpVJdrQbO3loQ
                                                                  MD5:4F753277C92C2B061BDAB5F4A9021073
                                                                  SHA1:6971CD8A573C58A6FC2E05D41C1A22DCD99242C2
                                                                  SHA-256:ADE6137AB1B3ADC5F043E7C2C3E9AAF46FA47B9F00555FFC98A6C43693099F3A
                                                                  SHA-512:5341E23D03C6C1C43B35FF0B5C086711DB822D0EAA06B753688CB2F391BA276B1F340DCCC455578DAF7220705D1301AA06EB87DC064D7012142C4812507FD359
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+................PE..L.....J...........!......... .......'.......0...............................p.......................................?......\5..P............................`..@....................................3..@............0..$............................text............................... ..`.rdata.......0......."..............@..@.data...h....P.......8..............@....reloc.......`.......:..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3BD317EE-88F4-4463-9AD3-B18F1BA4CF4B.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.571081610485558
                                                                  Encrypted:false
                                                                  SSDEEP:192:BGNoShoJSLQa3yBsWmbhsWR5CLvWMQBOb3X7U6CkpbeOnpeYS3T:BzShNnCBsvbhTHM8OjrU69q6A33
                                                                  MD5:BEB6F608B2EFFB5A2E18E1C1E7B1A3C2
                                                                  SHA1:D73914077948083322182817D1134B5891B41A14
                                                                  SHA-256:8B545709ECB34E5F0AF580FBAA5E01047323E6913C595AE6FACA560A9CFCCD26
                                                                  SHA-512:8FCD668A92D3A5EE8B0CF58E7FDFC40D4F68A348B075829FC2BA930171EF8D87F32D4722EE7EF06138CFADB387133F2415B11E6D847395B61C217030653C40EE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<c+N<c+N<c+...+O<c+i..+L<c+i..+@<c+.3>+L<c+i..+K<c+N<b+.<c+i..+H<c+i..+O<c+i..+O<c+RichN<c+................PE..L.....J...........!................:........0...............................p......................................P?.......5..P............................`.......................................2..@............0...............................text............................... ..`.rdata..~....0......................@..@.data...X....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3C0ED055-563B-4B10-8DC6-6EAE2EEEBE96.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.642463367285806
                                                                  Encrypted:false
                                                                  SSDEEP:384:C3qWqWKjxdqAk8dzN4G6OM8OjrU698WL:CXCxpN4GFbOjUW
                                                                  MD5:9C4547F0D9C1D0029CC609DCB61AE6A2
                                                                  SHA1:264805CA2DA92933EEC8998083670EDDFCA84D9A
                                                                  SHA-256:9780BD96F4C2E76C3116E8C090CF8E0BE28835E102CE3CC9C6BE9B5474C0E938
                                                                  SHA-512:5EB8D8D793BEBA559633E92872F6C806CEE7872213864D54A9373723CB8CD25896F1A1FA3135F630DD37001818C19CFF46FD25DE2F27BC15F30956ECB358E6EA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*.y.y.yyN.y.y.L.y.y.L.y...y-..y.y.L.y.y.y...y.L.y.y.L.y.y.L.y.yRich.y........PE..L...w.J...........!......... ...............0...............................p.......................................A......|5..d............................`.......................................2..@............0..D............................text...[........................... ..`.rdata.......0......................@..@.data...x....P.......0..............@....reloc..D....`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\3FF51E2F-6D04-4297-BC69-079C555FF765.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10240
                                                                  Entropy (8bit):5.615127936574816
                                                                  Encrypted:false
                                                                  SSDEEP:192:UHk2UJjRLEc2p5wyRYhOM/TWMQBOn3X7U6Ckpbt5ozpPk6E:UE9JjRLE15wyShOLM8O3rU69hyS
                                                                  MD5:402F378C77E91AA53719837EF1BC58A6
                                                                  SHA1:48074F3F96ACD15A40D48D9960A79C25C3A71622
                                                                  SHA-256:0D6C3879F69F79B617F6E40756BBBBD41AFF8C4C62B46F72920D8F10B7D54B41
                                                                  SHA-512:B7787AA6032A2EF3A8BDC7687A273E7484AC5214A47F1D8033E50221B5EDD3E4172C8E606B993AB9CD9B385EA59F942F1300BF2A36ADDCE7789081BF90307DCB
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.5y..[*..[*..[*.t%*..[*'v&*..[*'v6*..[*..*..[*'v *..[*..Z*B.[*'v5*..[*'v!*..[*'v#*..[*Rich..[*........PE..L.....J...........!......................... ...............................P......................................@.......\$..P............................@..T...................................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...X....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\41B94656-9497-45C3-82DC-9BE77D93133C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20992
                                                                  Entropy (8bit):5.897822894466649
                                                                  Encrypted:false
                                                                  SSDEEP:384:u2cLVI0g7pmE10kQeL3xC2IzO+KzDoD993iiM8OjrU69WfXyRl:u2CVhgd/mkQeL3xC2IzJIDobbOjOfCz
                                                                  MD5:87A8090B57C8E40279FAED021F8FA3CE
                                                                  SHA1:74DC136E702C1F5ECBE84A9B30BAD429F6D48801
                                                                  SHA-256:9D57A02B01FAC5733E9C8D6D88CCDB77166F1A6F71B1E7FBEB637432CA61A51F
                                                                  SHA-512:F9322111402E65C9D99A878F968B1B37B1AABC665C3230A4A73ECAB803CAF5EAAE9EAFCBBA44C7AF66D375D4BD9FBFC147C158D0D012FCE919AEBA49DD545BA6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J.............F.......D.......D......Q........D...............D.......D.......D......Rich............................PE..L.....J...........!.........4......8'.......0.......................................................................R......l7...............................p.......................................4..@............0..<............................text...{........................... ..`.rdata..o&...0...(..."..............@..@.data........`.......J..............@....reloc.......p.......L..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4236B155-BEEB-4806-A4E7-0A3610B5CEFD.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.9687690563619995
                                                                  Encrypted:false
                                                                  SSDEEP:192:kSbjgR3V1sB2GKNDeenY2jr/pQN/pQVvlIC/Jj+Z1c6avWMQxO73X7U6Ckpbcqp0:kuGc4GKYGb7cPcSM8ODrU69gqk
                                                                  MD5:00BA2DDE9143B2898595F0F73DD2CED6
                                                                  SHA1:C0E64069B0E952FC8ED81BABA8AD27D7252753A3
                                                                  SHA-256:B5087E53533CE193ACBF26F6331620AA16469D684B766BFE1618ED86255B8570
                                                                  SHA-512:B1EE68617C21EA702BAE702CC026A166E42E1FBB3DAC989962F87A91FA19B9F4A80853CBB0F2F45F1887EF34D44C823119F206610EB8FB9AAE0FEFA21EA5F7DA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..f...f...f.......f.......f.......f.M.;...f.......f...g...f.......f.......f.......f.Rich..f.................PE..L...[.J...........!.........$.......".......0...............................p.......................................D......D6..x............................`......................................@3..@............0..h............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....reloc..X....`.......8..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4B22839D-2545-400D-A5C9-D977058037AA.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.596697333548329
                                                                  Encrypted:false
                                                                  SSDEEP:192:BrxLVvUSa6n6ThYWf1AYAhN0FTWMQBOn3X7U6CkpbsS7tJ:BNLVvU36o/fyQ4M8O3rU69QSh
                                                                  MD5:39B7BDC056E61D6A29D1E32A99FC80F9
                                                                  SHA1:9263EE419E2C10DE719EEA7C88CE47DE5FEFFB52
                                                                  SHA-256:6B863FFF33FCE87EF95139F171412B60790AD806FB0EDCFAE2CD86B45565D427
                                                                  SHA-512:5DE1A9C48EAE70C92EB12E8B8A2D2027D0F0045DBC962167219756F382423CF54BB5FDD2822432D7066C8A3B359DB61E293D1638DFDA99E050E7DA23B08E75B4
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.L..."B.."B.."B.*\B.."B%(_B.."B%(OB.."B...B.."B%(YB.."B..#BJ."B%(LB.."B%(XB.."B%(ZB.."BRich.."B................PE..L...k.J...........!......................... ...............................`..........................................{....$..x............................P......................................X"..@............ ..4............................text............................... ..`.rdata..k.... ......................@..@.data...`....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DD461D0-7C4E-45EF-91AB-F211F9B920F2.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):6.1440672277002895
                                                                  Encrypted:false
                                                                  SSDEEP:384:1Er9xu4GrfsczLFIcJNfs86PYxX3I4XqX5dSnIoSbzxJM8OjrU69OMpaQ:1mxtGdycJG8bx/6X5dSnpSbrbOjzX
                                                                  MD5:7BC0B0A5EC5F139EE0C95EFBE7734B7C
                                                                  SHA1:C057F863649AF6E7073C3E40768EFA43E5A40AB6
                                                                  SHA-256:D0705245CE4A166E1CC41CC2E2CA53643DEBCF06DF5CACB83451DEAC60993E79
                                                                  SHA-512:BBEF7E285694209B9D48AFE33361138B78AFF6C1D42084FB1A0BAA9A01C2F1F385D8CE165EB8316287EFB6A0631E4F4E614C89922F4BF2B0751C8799920DC2CD
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R ..3N.3N.3N. .0.3N..3.3N..#.3N.t<..3N..5.3N.3O..3N.. .3N..4.3N..6.3N.Rich.3N.................PE..L.....J...........!.....@...2.......G.......P.......................................................................g..X....X..x...................................................................@U..@............P...............................text....>.......@.................. ..`.rdata..h$...P...&...D..............@..@.data................j..............@....reloc..<............l..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DE5B0C2-DDAC-4927-AC0F-73D422863D69.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):19968
                                                                  Entropy (8bit):5.802242680188909
                                                                  Encrypted:false
                                                                  SSDEEP:384:cjv9yRKAUC6HS5Sst7qx6gcx1MM8ODrU69+j9:W7qSA7Z5MXODW9
                                                                  MD5:40C3B1B7C37B5C98B5F7F295D13FE5D9
                                                                  SHA1:A31694B8F3242504D6BFB4BB74007CDDD627F8B2
                                                                  SHA-256:B12720D94C88013FD2132C408BD17E3A6C0FCB1A225FC48FD7AF4964204F4C70
                                                                  SHA-512:7FE7C0D36C4FCB9B781AD160078A891D79CEBFE14069680ACED6C9599421AD8740A56D6AD1FEFDF9C5081306A4FE9979D12D55479CB4A2C75181FF483A452DD2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...'...'...'.0#Y...'..!Z...'..!J...'.d.z...'..!\...'...&...'..!I...'..!]...'..![...'..!_...'.Rich..'.........................PE..L.....J...........!.....&...(......?-.......@......................................................................0R.......F..d....p...............................................................C..@............@..T............................text...+$.......&.................. ..`.rdata.......@.......*..............@..@.data...\....`.......B..............@....rsrc........p.......D..............@..@.reloc..@............H..............@..B........................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\4DF6BAF0-3AED-407A-926F-35B2BBB62D0C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):61440
                                                                  Entropy (8bit):5.231042583778412
                                                                  Encrypted:false
                                                                  SSDEEP:1536:IpfC+eRfEjc9kthWDfay0GLr584GDuG/wODBprR:xfic94k84GDx/wODBp1
                                                                  MD5:9FE95CFDE7E4CDDA25D5F14A8254674D
                                                                  SHA1:15A6E9DB517CFF6A38BB9C80459488B6E842E2DC
                                                                  SHA-256:D5BD39FB1D2D5E4BE73252961B148ACDF1519B71966F47CADCF120F64120EF89
                                                                  SHA-512:67FF16DC9255445E16A071356B6BE7F30DA80EF3074CA40572E8482D3F65F664809DF5807C23002894816F43FDC0F9050603FFBFC36073ACE02A877E8D8D994E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j.M...M...M....&z.O...j$i.B...j$y.I.....Y.O...j$..J...M...<...j$j.D...j$~.L...j$|.L...RichM...........................PE..L.....J...........!.....p...........e..........................................................................................d...............................p......................................@............................................text...Ka.......p.................. ..`.rdata..%A.......P..................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\522A4C57-2831-4C4D-B28F-495F325AC9C3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.781587986970406
                                                                  Encrypted:false
                                                                  SSDEEP:384:knuXn59SKF3mSi9HEipNlM8OjrU69j7k:knuLSKF3mSi9HEiZbOjr7k
                                                                  MD5:BAAEC18B76DC80072BD0DFC60E5BFAD8
                                                                  SHA1:00CB6DD4B194BD5307E13DF83C1987832DFFEDDE
                                                                  SHA-256:86317C0699F7C52EF1BB4A74F7E2BC7F90533327F199E390E7A927BD882D941C
                                                                  SHA-512:6D5FF932BEDA6C813E64C135C0B772AF5A0925BBBE2B8B47045F9F18C7FCDCE0A276BEC0CFACF946A46F57548FFD7D15D8C0B00AA45C9D6FB5D73EE5CA15001E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+................PE..L.....J...........!......... .......%.......0...............................p.......................................?.......5..P............................`.......................................2..@............0..$............................text............................... ..`.rdata.......0....... ..............@..@.data...X....P.......4..............@....reloc..D....`.......6..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\563D75D1-D67B-403A-B8B6-FA6094943330.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14848
                                                                  Entropy (8bit):5.74169455516641
                                                                  Encrypted:false
                                                                  SSDEEP:384:BH/jjnIh5uQTf9BHy1hH1M8OjrU69L2of:BfPIh5RTVBHy1hH1bOjD2of
                                                                  MD5:60C9E092FD8BE1A4D9BBDC0798EAED12
                                                                  SHA1:720FDAEAC92E8557A5BAE22B653BC9CAAB5145CF
                                                                  SHA-256:7DA224C637F85CDEAEAEBF90691E1F947FF3D02460D8B3829E2D5E415165B1B1
                                                                  SHA-512:07E06CA58F844971463EF8447494E9D2BE26F4F3AAFD2EC35BD1B911BA3BA4E2ECC5AE2FB67FC3F18F2741C44258B5E035ADD5EA2700DCB6251C634ED775C724
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.P.%d>.%d>.%d>..@.$d>...C.&d>...S.*d>..kc.'d>...E."d>.%d?.rd>...P.#d>...D.$d>...F.$d>.Rich%d>.........PE..L...R.J...........!........."....... .......0...............................p.......................................C..%....5..d............................`......................................(3..@............0..l............................text...K........................... ..`.rdata.......0......................@..@.data...|....P.......4..............@....reloc..l....`.......6..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59283614-4E90-42B0-83A1-8FD225004619.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.598719569806605
                                                                  Encrypted:false
                                                                  SSDEEP:192:VmScxV1iVAqbel8IQsxR4ujTWMQBOn3X7U6CkpbCQ/p1w:VmScx+feW6sM8O3rU69GA
                                                                  MD5:B5084A3801416E12BDA28D18DCA3708C
                                                                  SHA1:6C272A3BD04D08FB4C2CA5E6A5AA1BD88986A9E6
                                                                  SHA-256:0F7E2651A708E625F7D1D993530B52EBD5CA2595C9E09EF1438CAE5B05F8E5BA
                                                                  SHA-512:A4DCCE8BEAFE73580A86286B00261A2169F05BEC1AC2205BEFC47A7D0C93023EA7A321BD8D0448F9F9777E31CEB45BC81B756A19BFE4BC47C3799EE8C68F60EC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............].].]yN.].].L.].].L.]...]-..].].L.].].]...].L.].].L.].].L.].]Rich.]................PE..L.....J...........!................*........ ...............................`.......................................0.......%..d............................P......................................."..@............ ..8............................text...k........................... ..`.rdata....... ......................@..@.data...x....@.......(..............@....reloc.......P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\59A93B79-C960-4E83-A1AE-6D3811315C09.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):61440
                                                                  Entropy (8bit):5.489491959961167
                                                                  Encrypted:false
                                                                  SSDEEP:1536:eg9CQl5tOVotDGQEdDrjVn0DoZNRODuOv:RD/2nVn7NRODuOv
                                                                  MD5:FD4EF0D62276582E328A05F645B36BF1
                                                                  SHA1:DE575BE9FE81F492029A5CD9061E1D45BC1C2914
                                                                  SHA-256:3E96C478ECF435AE8C480D72C18C61D7378A4EB31DFFBD636DA01B7069A19E48
                                                                  SHA-512:E025B156DC23A0D7D7AF378D5A3FBFD8E2E71FE2CD682077F5DEE3BAB8DC9993FB096135897CCE0C8431EEB2F485CD99FA830F7629F235A44F4455C667FAF304
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>\..m\..m\..m...m_..m{..m^..m{..mR..m..mX..m{..mU..m\..m...m{..mT..m{..m]..m{..m]..mRich\..m................PE..L.....J...........!.........`......J...............................................................................p...(...4..........................................................................@............................................text....w.......................... ..`.rdata...9.......@..................@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5A4A4C8D-81A4-4A1E-828D-53C15D3B8E3C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.744108425988404
                                                                  Encrypted:false
                                                                  SSDEEP:192:luJFHFE6fOjcYGTdKAM1MG1AaS3fUK8gX52bcegvWMQBOb3X7U6CkpbnoF3Oo:luS6mjcnTQAqA33f0JM8OjrU69z2
                                                                  MD5:03A857DCB4A249FB417765D9167CE4C0
                                                                  SHA1:823DFB3D9C0880FA4D1784F50EE2CDE3D0D80D55
                                                                  SHA-256:44D4D7A056C05B8E3BECCFB16E32E0D39B05D68AC5115FA14D41C983E6D4D614
                                                                  SHA-512:7C057B6CAB444C16C85E7FEF3C192720711AA032B80149EF7051247F2642419D5B9ADEBB7531D9BE824FFB026B1430FBEFA1211EA06326CD30DF58DE680EBE39
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i...:...:...:kP.:...:.R.:...:.R.:.:?..:...:.R.:...:...:...:.R.:...:.R.:...:.R.:...:Rich...:........................PE..L.....J...........!......... ......j%.......0...............................p......................................P@..*....5..d............................`.......................................3..@............0..<............................text............................... ..`.rdata..z....0....... ..............@..@.data...h....P.......6..............@....reloc.."....`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5F672C7F-7F68-408E-88AE-286A3F2F873A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.737833632328742
                                                                  Encrypted:false
                                                                  SSDEEP:384:pihkCnt75f8B48MpxDJ0/BM8OjrU69Jsl:pix5kqzW/BbOjxsl
                                                                  MD5:BDED811B76033300167B57ACBBF73E8A
                                                                  SHA1:B8701FEF2C4E5331C71EF7978EC29DC33BE97361
                                                                  SHA-256:9C14D5B1FFA34DB167B2F8012C878FD736CF5759794F39F20B8A1FBB7AA0ACE0
                                                                  SHA-512:719E263F95BE1335E3E59CACA0DC0F6D7EED508998B7F02A48D295E23CCEDE2C8E591EAA2E1926F97B7CEFC223640DFCD40EBB37FBBE9C5BCDE0E878D193BC8A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R)t..H.^.H.^.H.^..d^.H.^1.g^.H.^1.w^.H.^.GG^.H.^1.a^.H.^.H.^DH.^1.t^.H.^1.`^.H.^1.b^.H.^Rich.H.^........PE..L.....J...........!........."......z........0...............................p.......................................B.......5..x............................`.......................................2..@............0..\............................text............................... ..`.rdata..e....0......................@..@.data...x....P.......0..............@....reloc..f....`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\5FE055B0-4269-4B25-9F31-157C835EC678.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.581239626160596
                                                                  Encrypted:false
                                                                  SSDEEP:192:HaOrkmboilNB5urd8JlvWMQBOb3X7U6CkpbVoKwMdMbH45PtF0DJpQRVFZ:6E1oil4OWM8OjrU695IuRV
                                                                  MD5:5F7E5D01EC5D88097106B377B21EF8C6
                                                                  SHA1:002AAB487336706615BB5B3B9726E172DA236ED5
                                                                  SHA-256:5FC58FC3D2D9E71AF2964D3A05736DA55D721AAC7BD233054D9057ECABE6A95A
                                                                  SHA-512:A070DFDB684FDDBC67E568D895A4A25C46E1DCB61EB30D38DA9754635A1B881C928738BECB9A19831CEF2CF14CCD72D1DAD3AD0DDE1BD193ED44990670619E95
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S..=Z.=Z.=ZyNCZ.=Z.L@Z.=Z.LPZ..=Z-.`Z.=Z.LFZ.=Z.<Z..=Z.LSZ.=Z.LGZ.=Z.LEZ.=ZRich.=Z........PE..L...x.J...........!......................... ...............................`...................................... 0..R....$..d............................P..p...................................x"..@............ ..,............................text...K........................... ..`.rdata..r.... ......................@..@.data...x....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6092038D-B179-4C10-8D7F-04F35E9EFEA4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23040
                                                                  Entropy (8bit):6.0185983042474245
                                                                  Encrypted:false
                                                                  SSDEEP:384:bUSDLPVqV89T+TIrJkBzzDoD993imM8OjrU69pZeeS:bvDLtqV897rJkBPDofbOjRZeeS
                                                                  MD5:E9ECB71D583C0D0501166CBE2979F675
                                                                  SHA1:415C62CA9ECEED47CC2674530BE5EF1C3123B0E3
                                                                  SHA-256:69F998188E3ADF6EC7F3E2B41221332D4254F9A1D07348B0E78F82EABF68FE27
                                                                  SHA-512:345E9E24C42DF8D281BB9CC3109D1BE4BD326CBB33F44093A756223338B334AA04414233D1B677A5CA5531B350EC1BCFA3588D1F6235B902157891256CFBA615
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..I[..I[..I[.....H[..n...J[..n..F[...T.M[..n...@[..I[...[..n..O[..n...H[..n...H[..RichI[..........PE..L.....J...........!.....$...6......6-.......@.......................................................................b..9....G.......................................................................D..@............@..0............................text...k#.......$.................. ..`.rdata...(...@...*...(..............@..@.data........p.......R..............@....reloc..J............T..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\624FAFE1-326D-4444-8768-D0D405FE0D23.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):24576
                                                                  Entropy (8bit):6.126011851736288
                                                                  Encrypted:false
                                                                  SSDEEP:384:9PIqApFAKs9ZYVcyjsa104eThM/1zBVdddI0oRdAx/IZGYaU9eM8OjrU69LopQZu:95qjsa1r0hqjdddB2zlaU9ebOjTcQZ
                                                                  MD5:78C0821128755982420E8BBA1D400BDE
                                                                  SHA1:374D1BA9B56238CF9405AC8791CD73724231A47E
                                                                  SHA-256:56966335EEA5A3741F0F1F8FFD2B6E18CA9366CDF33F7875FC28664EC81555DE
                                                                  SHA-512:12EEC2A63513311BAFC401225C62493434DFF91474369636E4F6FF891D96ABC33A7302D4687D59263553CA313697B62A306FCEAF37FD7572244EF02C82AD9D2E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.;BD.hBD.hBD.h..hCD.he..h@D.he..hLD.he..hDD.h.K.hGD.hBD.h)D.he..hED.he..hCD.he..hCD.hRichBD.h................PE..L.....J...........!.....,...4.......5.......@.......................................................................[.......H..x...................................................................@E..@............@...............................text....+.......,.................. ..`.rdata...&...@...(...0..............@..@.data........p.......X..............@....reloc..*............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\63C9809D-F615-4FED-A77C-B8F071AA3DB0.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.606253657623495
                                                                  Encrypted:false
                                                                  SSDEEP:192:W8rbKRpCWnAnG6NgCl4qR6JlyyjTWMQBOn3X7U6CkpbHWXiJ7xl:W8rbKRsWkfg0RClWM8O3rU69LbB
                                                                  MD5:4FDBD751F8C30E5D633359B14ED81567
                                                                  SHA1:05C19272A4FB595D63E738979B4B3ADCED382A14
                                                                  SHA-256:798251EB6704BA2F3A7ED5201BB6D7B8084607BD7064B568C26BA1CF68CFA80C
                                                                  SHA-512:5411D36A9170E9F09C9720D2EC3F2F1446FF3BCB6A2F4F7B57146B113CB00F863B585E546C2FB6526903404A7690265CDC31F062B485CCBBAA261A71039CAD91
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Y..Y..YyN.Y..Y.L.Y..Y.L.Y...Y-..Y..Y.L.Y..Y..Y...Y.L.Y..Y.L.Y..Y.L.Y..YRich..Y................PE..L.....J...........!.........................0...............................p.......................................?......L5..d............................`.......................................2..@............0.. ............................text............................... ..`.rdata.......0......................@..@.data........P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6514FE12-88CF-480B-A3D8-7730C0CD23B3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):139264
                                                                  Entropy (8bit):6.277377683183863
                                                                  Encrypted:false
                                                                  SSDEEP:3072:eGfi0JiOdPijVDjrv2Uny1930dzEZSbm7+AMctkcpYko7EYDutrfvNX6WODdOh:eGf3PiBY930dzEZSbm7+hieEth6WODdY
                                                                  MD5:5D512E542C0E9D37E753BE25675E79BA
                                                                  SHA1:4F888C098277676B45FFF06F69F10B182B581B9D
                                                                  SHA-256:094BDB2E94182C27DD1F6A03308A037DDD31ABC46B1F1909959A24593D04C87E
                                                                  SHA-512:48F2E736F1E9DD48999B2DA4DE402850CCC39B1462AE1B3EF7501EA3627CD8A2C3B1566FB7ED066656176D97BD96B896ECE59E1FF98D009450FCE44F403A6D5B
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:.:.T.:.T.:.T..|*.9.T..~).9.T.....8.T..~/.=.T.:.U.8.T..~9...T..~:.0.T..~..;.T..~,.;.T.Rich:.T.........................PE..L.....J...........!.................{....................................... ...................................... ...?.......d...............................l...................................`...@............................................text...Ku.......................... ..`.rdata.._^.......`..................@..@.data...............................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\676D2DE0-210E-4A1F-81AA-11CDB316796A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.715147873835403
                                                                  Encrypted:false
                                                                  SSDEEP:384:wqGUp58JUlOEfEfYtXa6y+tVOJGxn+UM8OjrU69+xBgo:wa58JUlOEfEfYY6Vbn+UbOjmHgo
                                                                  MD5:FC3D483FCEC42802949962B351452200
                                                                  SHA1:2B934D8F0A4FEEC41C8EE9D76EB3AD9ECF993261
                                                                  SHA-256:6C0FCBDE4035284F7FC3984935B7F85B886E2DDBB7EB79202EAF0006DE09B092
                                                                  SHA-512:B4FF512E136A8A5BE6500688F893B7DD8A9EC81787637596F8B76768C12C4C78EF4B09F27BF921BBEB227DE9C6D4AA2ECCFEE9846111D4D3851674B811B39EFA
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.>.|.PL|.PL|.PL...L~.PL[.-L~.PL[.=Lr.PL...L~.PL[.+Ly.PL|.QL1.PL[.>Lz.PL[.*L}.PL[.(L}.PLRich|.PL................PE..L...m.J...........!......... ...............0...............................p.......................................@.......5..P............................`.......................................2..@............0..@............................text...{........................... ..`.rdata..2....0......................@..@.data...x....P.......0..............@....reloc..J....`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\68260755-F5CB-4EB9-9CAC-7CB9FEA5C753.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):5.425573896255858
                                                                  Encrypted:false
                                                                  SSDEEP:1536:YGesHOAr8k3IPnps2odCQ9MfQUJFIGI9IOj1txL:Y0n8k3IPn23MtJFIGgIOjL
                                                                  MD5:8FD30B5F197ACA11D7C08D4CF31C2AFE
                                                                  SHA1:6CA463EE79251982C771979948B303068E543C60
                                                                  SHA-256:F105D1BF72B44C6B30958DBEB119AFD4E0535E92A1B22EC42CAFBD50A2E10AE8
                                                                  SHA-512:7D93452E0503194C54F43CB13B89AF074FE1EE621E868C2054BC351745B51EE8723D333E7F18B87DF339CB228D34BE04CB31AAF38ADB2757F0117E220DB63D85
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F....u...u...u.......u..%....u..%....u..%....u...z...u...u..]u..%....u..%....u..%....u..Rich.u..........PE..L.....J...........!.........P.................................................................................................................................(.......................................@............................................text............................... ..`.rdata...#.......0..................@..@.data...8...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\688FBE45-F29E-4FFE-8CBF-68BFE093B1EC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.656082259904464
                                                                  Encrypted:false
                                                                  SSDEEP:192:V3cU0v3nXnZj2AALY8y6XWvFTW2lz9cTWMQBOn3X7U6CkpbIMSKUpTe:V3cUAHnZRyYEXWNTvxTM8O3rU69Uv
                                                                  MD5:04B78BE596096971AB798C7D6E0C4133
                                                                  SHA1:A3BB18116F3C4A60CF168B63A379CF341AE1D448
                                                                  SHA-256:641399D006D913F6E9FADE19855A02EDA0FC8CBD44A64DFF533A187CD2FB177C
                                                                  SHA-512:8A4A8E47042BDF3369357ACA0E42F00766CE9820783B629F478746BE9A9D4F06C8FAC592D6AA5C262147CA5D6A4F1E3008D52645CCA76404694FC0D03930D8A8
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X'..9IF.9IF.9IFW.7F.9IF..4F.9IF..$F.9IF.6.F.9IF..2F.9IF.9HF.9IF..'F.9IF..3F.9IF..1F.9IFRich.9IF................PE..L..._.J...........!......... ......d........0...............................p......................................@?......<5..P............................`......................................x2..@............0..$............................text............................... ..`.rdata.......0......................@..@.data...x....P......................@....reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6918910A-F8BA-43C4-B8D4-CD6587D0F67C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.820916061106255
                                                                  Encrypted:false
                                                                  SSDEEP:384:5rCRn+zKmJw5lfOmCJ0613M8OjrU69yFeNmD:5rCRn+zZw5lffK0613bOj6FekD
                                                                  MD5:61B2639AB088F62099B292D1F72D18CA
                                                                  SHA1:D8929605A9781F9D9E3784E13884BDE2C098C95F
                                                                  SHA-256:1578DB8294CF6CC39FBD77B7EF7C4DF96753FB3A661E800F8B2CB923979D6F90
                                                                  SHA-512:E4564637F8846885A037578F0351151FF8A12B008F71D48D60FF39CEDD0328EBB3AE0882B643D1BD97532BD9E579B3DD70DA38277FC7AB9E8BACD8A906E0EDC2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..}$m..$m..$m......%m......%m......*m...b.. m......!m..$m..bm......"m......%m......%m..Rich$m..................PE..L.....J...........!................. .......0...............................p......................................0?.......4..d............................`..t...................................h2..@............0..(............................text............................... ..`.rdata..#....0......................@..@.data...P....P......................@....reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\69D8970F-E413-47BB-8E51-4C25B0F65E51.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.455651814380428
                                                                  Encrypted:false
                                                                  SSDEEP:192:M958RPVffDey83K+HTjD8NvWMQBOb3X7U6CkpbXppvVY:g58Rt3N83bzjXM8OjrU69Fl
                                                                  MD5:306758F120B240DD5C627AA2CDA59324
                                                                  SHA1:4606697AF6FA314243C8DC81908E25AA45321F32
                                                                  SHA-256:DEC7A1C7EBFCAEEE5FB20A82777C1167CB47B703B9BDE85B126E32B78D53C07E
                                                                  SHA-512:F40A56C540E11837909A2DC9E414B58497E1B23D89580163230F3D7AE3CA157F2B4FDA30218E5CE93B390BC8B33CA067C2CF4BEF79FF8F6BA34FB69F9298EFC4
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.6y..X*..X*..X*.t&*..X*'v%*..X*'v5*..X*..*..X*'v#*..X*..Y*@.X*'v6*..X*'v"*..X*'v *..X*Rich..X*........PE..L.....J...........!.........................0...............................p.......................................=.......4..P............................`..L...................................X2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...X....P.......(..............@....reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6AA381C0-E9D5-4EAE-A7F6-19BED1B1F662.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.642275275169165
                                                                  Encrypted:false
                                                                  SSDEEP:192:rKatPOMSVMd28wlW8KNfaRqLvWMQBOb3X7U6CkpbOTsdEpggQgK7:rxtPOMMMKZPM8OjrU696T/L5K
                                                                  MD5:400FB88A3B29C8D8B71F685D097A600C
                                                                  SHA1:37531311CB35F05184A81D6C92B7EE482433CF14
                                                                  SHA-256:A8C5CC1D6FC8CC6433B46F23CD2291CCC60E11161B1E83F59482085C9871542B
                                                                  SHA-512:EE59F6DADA8DB69D81B80D374BDC93BABDA58193C26DFA063CDAF4A0AAC20A865C6A9DBDF6FD4C7AF7685F2DFD6156576C4EAA1C0A63528335C129AE55AD8A37
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9}..W...W...W..t)...W.'v*...W.'v:...W......W.'v,...W...V.J.W.'v9...W.'v-...W.'v/...W.Rich..W.........PE..L.....J...........!......................... ...............................`......................................./.......$..P............................P..|...................................P"..@............ ..4............................text............................... ..`.rdata..W.... ......................@..@.data...X....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6B8855CC-B67A-404A-8941-395C1314C2AC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38400
                                                                  Entropy (8bit):3.990142748892908
                                                                  Encrypted:false
                                                                  SSDEEP:384:cRB4fCgxVJH5WtXAESO+cegM8OjrU69eoz+:oB4fCgdZWpAESOPegbOjm/
                                                                  MD5:A44043342D79382D3207A62D630081FD
                                                                  SHA1:8E3DE1DFF281435983960149A416EF44D45B33B5
                                                                  SHA-256:ECE4E3F0BD6C2CF7E450EBD0964003D97A99D7F1A8947E9D5856619DB0FDD903
                                                                  SHA-512:27183691AAD1F5446C5D8CBC9D65098C164836C85F9069F920004FBCE59EBD7F2E5541621BD9EBA182538F4F27AE1171CA9E275A50FCEC58BD5B4967247E03B7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+........PE..L.....J...........!.....^...8......#5.......p..................................................................................P....................................................................y..@........... ................................text...]].......^.................. ..`.rdata..i....p.......b..............@..@.data................~..............@....idata..............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6BE5BC8E-8036-4BDD-8FDA-591F6BDB68BB.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.78460442210986
                                                                  Encrypted:false
                                                                  SSDEEP:384:hPeCCKzIMK7F93eDba7uYM8OjrU69m42NyEN:hPeClzejeDba7uYbOju42NyE
                                                                  MD5:B03A2E2B58272AC158E0F087C504DE1E
                                                                  SHA1:8241C5E3ABE0EABCD2C95ACE534E0EA9C2F91DE9
                                                                  SHA-256:11941ECAC81918D8B470098351478A93DD5F55DAAF5FF383750F3528141C9D03
                                                                  SHA-512:A1EE62A6A9430EEB349D0DCB4629862191BFF68C026F340A024BE1500C3D0D9789CB0DCFD3871E831A1910854B9362423E6C86339D8A048F38064A78973EDB81
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........F..a(@.a(@.a(@#.V@.a(@..U@.a(@..E@.a(@wnu@.a(@..S@.a(@.a)@.a(@..F@.a(@..R@.a(@..P@.a(@Rich.a(@........................PE..L...k.J...........!........."...............0...............................p.......................................C......\6..x............................`.......................................3..@............0...............................text...[........................... ..`.rdata.......0......................@..@.data...P....P.......2..............@....reloc..v....`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\6E6FB247-4627-4FBE-8973-48344F23881E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.748003622083443
                                                                  Encrypted:false
                                                                  SSDEEP:384:iqa7b7PZguC2GIhNyAm6uuxM8OjrU69tfKIHC0HNfs:iqavrZgh2lkAmTuxbOjlKIHC0HNf
                                                                  MD5:9F9F3346D64EC5A78FCDD27C1A52B084
                                                                  SHA1:ED483C4AC46CC78AE684A36B64028047F8BF8670
                                                                  SHA-256:B82410A8D60CB6413CBD1E9AC296E83893CF326E8BAB5CD828E729F4046881BC
                                                                  SHA-512:B03ED884DC208B0312549204905494E2E1BF7D66227560E8F364187031A1FA2A881CF359918EDBDBC0E6ACA408034586743D8FF4A05BC8F0908FBBBD4946470D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9...WJ..WJ..WJ.t)J..WJ'v*J..WJ'v:J..WJ..J..WJ'v,J..WJ..VJM.WJ'v9J..WJ'v-J..WJ'v/J..WJRich..WJ........................PE..L...f.J...........!......... ...............0...............................p......................................p@......d5..P............................`......................................p2..@............0..@............................text...K........................... ..`.rdata..q....0......................@..@.data...p....P.......0..............@....reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\72180A77-77D5-427D-8A3E-D5838CC249C1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.425562752347602
                                                                  Encrypted:false
                                                                  SSDEEP:192:kLRxqbRnNlF5cB5VGfc9PmvWMQBOb3X7U6Ckpbua2Vhp1:kLRWnNv5oqwP5M8OjrU69al3
                                                                  MD5:20E5C26D9440F1D7957425CAA4F6B2AE
                                                                  SHA1:94F198076C19B0D002B224EDD73571C5B72ED71F
                                                                  SHA-256:3F54223083502CA07E690B24522EB3C0435B1FB481965E033E6C44AB6CAF4863
                                                                  SHA-512:B1A1F368DE764B44C44BED8F1CDEBE378D34B8FFD332645C32123BADAB555C409B5A18ADB499A1EE06226CE313AC2E67677CBD9981F77546805506B8DEC52787
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9a..W2..W2..W2.t)2..W2'v*2..W2'v:2..W2..2..W2'v,2..W2..V2K.W2'v92..W2'v-2..W2'v/2..W2Rich..W2........................PE..L.....J...........!......................... ...............................`......................................`/.......$..P............................P..T...................................0"..@............ ..8............................text...;........................... ..`.rdata..w.... ......................@..@.data...P....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7805644A-FB2C-4BA2-8A8B-3D73D441D338.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):26624
                                                                  Entropy (8bit):6.2171130902469915
                                                                  Encrypted:false
                                                                  SSDEEP:768:ZX4o+6wz2FC+NwAy2Jsn6fcUM+mohbOjdPw1:9qzoFy2JsmPmolOjFw1
                                                                  MD5:0FE81D655DF93B553FDDC00ADF8F0843
                                                                  SHA1:7D28214BE5250ADCA4CA15244A9C1B1DD0607BA2
                                                                  SHA-256:1D24CA8B663412EFE1D02E3F066302FF5CFFF0A363278189594B9EB8BA57FFA2
                                                                  SHA-512:15061D1A9E43BB326C4F9BEB7C2249710F25CEFC7AF3C10DB7169D8EB0074ED4B586F993DF6CCF8E8080452B7829FD85ED45E4B985B976CFB859A42D4C32DCC1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:*.I[D.I[D.I[D..:.H[D.n.9.J[D.n.).F[D..T..M[D.n.?.@[D.I[E..[D.n.*.O[D.n.>.H[D.n.<.H[D.RichI[D.........PE..L.....J...........!.....0...8.......9.......@.......................................................................d.......I..................................4....................................E..@............@..H............................text...;/.......0.................. ..`.rdata...+...@...,...4..............@..@.data........p.......`..............@....reloc...............b..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78167FBA-D3FF-4D4D-B6A3-51AAB049F11C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.875391374483905
                                                                  Encrypted:false
                                                                  SSDEEP:384:Cq/DQkO57NPv8IQ/54cFM8O3rU69pLa7:CqO5CIQ//FbO3RLa
                                                                  MD5:29125A413BEB827A908C8B4682D8B3DA
                                                                  SHA1:D440CB5573F8F4EC017C1A47703774BEA68B0AB0
                                                                  SHA-256:20778489ED6A9A5EACC4ECF93517735098D414188EC8C0CB64FDEDE677AB5DC5
                                                                  SHA-512:1441105B80BB863700208FF31CD38062EC321F4B38B01DBAC567B4AAD5FF6B066CB1DBF7EC2C59342A5D1C0113C5C11150C03C5F14E0A831E6527F93E211C42D
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.j....K...K...K..zK...K).yK...K).iK...K..YK...K)..K...K...KD..K).jK...K).~K...K).|K...KRich...K........................PE..L...h.J...........!........."......R#.......0...............................p...................................... A......t6..P............................`..\...................................h3..@............0..4............................text............................... ..`.rdata..0....0......................@..@.data...x....P.......6..............@....reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\78B61427-E90F-467F-9941-1E647350E6F6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.630064501357249
                                                                  Encrypted:false
                                                                  SSDEEP:384:iIIt8NuKH5b19fFBAeM8OjrU69Z0g5ofE:ia4KH5b19fFBAebOjB0g5o8
                                                                  MD5:28F5139F7B686B5F0F2763B5CDFF12CD
                                                                  SHA1:24E36512D49EB8F7849D5E5E7A43DA6967A241ED
                                                                  SHA-256:9A8152B8D42AD3F6F359D46A72926EEDBC22B2AC40408253C96D7A9E0EDF959F
                                                                  SHA-512:DA2E09A49D4277C8EB687FCD9860457CB9D3913140C25B9ED9CA10FA08332F4FAEF456DD907404603B579E3F48B3B261FFF99DCD2FBACC616A9BE4B3051FAD41
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+................PE..L...x.J...........!................:........0...............................p.......................................?..6....4..P............................`.......................................2..@............0..$............................text............................... ..`.rdata.......0......................@..@.data...X....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7A4813B2-0BE6-408B-BD46-8A20E747A47E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):5.857536536824617
                                                                  Encrypted:false
                                                                  SSDEEP:384:EvNgJgbhPQzQzmRbdNEv88h0/pKoV5+UX8M8OjrU69MXFRe:EiGbZQUSTS88h0/pbV5+UX8bOjkX7e
                                                                  MD5:DA509AC444BD9330576F9CBC05BA4F57
                                                                  SHA1:697BAC29A45EE87351521E213DFE93CCB1B0B918
                                                                  SHA-256:653C047DDE1F6A316D5189D7219AF75BCB3402F0E4ADF181AE939B076EF5EB28
                                                                  SHA-512:E0C2079F4F0688663293F875C582FC6527D493157C9FC892B1E03FAA30AE2A0FFB5BC7A26421F002D98448F274C263C40DEDABD55E15AF43E8EA2AC75BA02773
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................."....."............"........N..".....".....".....Rich...........PE..L.....J...........!.........".......&.......0...............................p......................................pA.......5..P............................`......................................P3..@............0..8............................text...;........................... ..`.rdata.......0......."..............@..@.data...\....P.......:..............@....reloc..^....`.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7AF0080E-C5C3-4BE5-8FB9-A9E2CF6FC9F1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10240
                                                                  Entropy (8bit):5.484962250579608
                                                                  Encrypted:false
                                                                  SSDEEP:192:UHQJT0RW5QZETK4QCwIHhMnNkUy9/TWMQBOn3X7U6CkpbFJtUpNZiEPfc:kQJTJ5QSTK4MIHOfM8O3rU69J45Hc
                                                                  MD5:5C33BDD08F7045EE9FF662BFD54C6F83
                                                                  SHA1:66DCDA00648094343A4AC928AB420B46CF8A43EA
                                                                  SHA-256:778DFD2263F038A144612E3DB419DB558EEE19A8205EE1159611104C0251303B
                                                                  SHA-512:54A6863A1FCC391EF10EC52958D3AD876723805BEC08F5E3726DE53EDA600E4655C27364CEDC21584A0CF95210E60FE1CCDD5D635B5038BF7242046C76778A88
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.7y..Y*..Y*..Y*.t'*..Y*'v$*..Y*'v4*..Y*..*..Y*'v"*..Y*..X*A.Y*'v7*..Y*'v#*..Y*'v!*..Y*Rich..Y*........................PE..L.....J...........!......................... ...............................P.......................................-..o...L$..P............................@..@...................................."..@............ ...............................text...{........................... ..`.rdata..O.... ......................@..@.data...P....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7B54C17D-1AB0-4882-9612-9628DAB6CA37.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.6932518965815415
                                                                  Encrypted:false
                                                                  SSDEEP:192:CYFaUoS5aTyBsCZ5SgB8QZfkvWMQBOb3X7U6CkpbUKcp5XT:CYFVaTyFZL8QZDM8OjrU69IdrD
                                                                  MD5:C3ED27A4E5B27836E120ECA2446189ED
                                                                  SHA1:E8A8A0C106F6C8444DD240951B82FDBE264A3F53
                                                                  SHA-256:09D109383A66CE1657797278A6E70B2B6AFA45AFDE891C174936A5593C77D593
                                                                  SHA-512:6FAB5B096DC2017461C34EF9785F03CD47F8FF7C1E4901612A8872BE6ED801527CB92939078BFB9E452E3CBA1E6CC5C40C374D1CD0A0499B005B928B859417C2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.y...*...*...*.t.*...*'v.*...*'v.*...*..*...*'v.*...*...*G..*'v.*...*'v.*...*'v.*...*Rich...*........................PE..L.....J...........!................^........ ...............................`......................................./......<%..P............................P..d...................................."..@............ ..(............................text............................... ..`.rdata..k.... ......................@..@.data...`....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7D101BC8-E798-42FF-95E7-216902731C0E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.676110059691091
                                                                  Encrypted:false
                                                                  SSDEEP:192:D8KfB7Sp5x8jbJ1AruqVLZE3b9h8G+6Dx8DRKUd5TWMQBOn3X7U6CkpbVTW+6:D8yB7HQa83yx8odM8O3rU695K+6
                                                                  MD5:7E7258C3AD21DD7958D4CBCA4685F58A
                                                                  SHA1:E143BB43D24972CB1B06DE22B15F916A8916C718
                                                                  SHA-256:E475239C0336A0AD9CB8289049E868997E4D88F313585328BF8062594082A42B
                                                                  SHA-512:1138119BB864C1D85E3040E891071CDF775BBBA5851D61B8E9AB3772F6F533161DA41EE7125EFBEABE3CB7A47F9E690B982312C5696B3FE981108F87CC799710
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................."....."............"........E..".....".....".....Rich...................PE..L.....J...........!................(".......0...............................p.......................................>......\5..P............................`.......................................3..@............0...............................text...+........................... ..`.rdata..l....0......................@..@.data...\....P.......0..............@....reloc..:....`.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\7DFC389A-BDFD-4092-93AB-D0B93A030DD6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):94208
                                                                  Entropy (8bit):5.696511157683407
                                                                  Encrypted:false
                                                                  SSDEEP:1536:7HllhE5oD3arUiUlHUN3pJwK5UAwPKkndOjn:7H5ZruAUN3pJwK5UASbOjn
                                                                  MD5:4463AD6A2DAC1B3E072DC0525E94087E
                                                                  SHA1:5069BA28EB95F4EF01458F32C4DC78B1A5C5A81D
                                                                  SHA-256:ADF4EB5F97445ED86EE4DF1911A1B9B9AB04A1E3C6A7C86FC94B0D9E9B33497D
                                                                  SHA-512:8C0D4EB9C1B52C40EE523093F97AA807FB89B7AFA6A8E5D6DA01F39BB93A3CCD8ADA7FDA4D399D983591BAD449F0D57E1B1CB8010D460C57799A06D732C83C41
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..8...8...8...S..:....Q..=....Q..5.......<....Q..?...8...T......3...8...4....Q..?....Q..9....Q..9...Rich8...........................PE..L.....J...........!.........`......N........................................p.......................................2.......#..x............................`..P....................................................................................text...;........................... ..`.rdata...%.......0..................@..@.data...8....@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\809FD14E-C408-4DE6-BC3D-AB69C47238F6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17408
                                                                  Entropy (8bit):6.004347058718256
                                                                  Encrypted:false
                                                                  SSDEEP:384:2szxHLvSDY9dZYD6TU9783KqFOM8OjrU69l:2szxGs9dZYD6A9Q6qEbOj9
                                                                  MD5:2AFEE197C7363772F99B629446EA1156
                                                                  SHA1:5FB205F80F5F26A6F5ADEB35FC4BFAEE67D243F1
                                                                  SHA-256:AE772E323404B74451101B4BCA85AAEDB62FE4A8AB609043494A3156B6A75CA0
                                                                  SHA-512:C38B0CCE4F9D387380688E03B856E0AB62D357A13D25C18AC2DFB661E6D27149152952933F5A77013941FD28D64143A28469AC93C05686B98F8FFCC6E1A75529
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}B...,...,...,.l.R...,...Q...,...A...,...W...,.8.q...,...-..,...B...,...V...,...T...,.Rich..,.........................PE..L.....J...........!....."...".......+.......@.......................................................................R......DF..x............................p..<................................... C..@............@..X............................text....!.......".................. ..`.rdata..T....@.......&..............@..@.data........`.......>..............@....reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\83783433-179C-4997-A4A5-C6F820CBFDB6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.458047152742733
                                                                  Encrypted:false
                                                                  SSDEEP:192:uhe5khyTEHZaI30p/TWMQBOn3X7U6CkpbCzVpYB6:uhMkvHUa0wM8O3rU69GJqB6
                                                                  MD5:2D49F54D189BD7AFCDB593BC2727DCF0
                                                                  SHA1:FB46C9F717B59BDD103D3977B4E8EE19752FBA18
                                                                  SHA-256:42B2B9E27B3B7B669539EF815A6FD31C067EA860B871CD00CF1E9582EC02B91C
                                                                  SHA-512:70CDA4450A833FBD739A63BA6665B29ADD1D3E183845AA41AAFE982A8FB41BED38368797FE6B2D4A7826FF680B19AA2A87101D9F35222443BEFFAB4237BD8708
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]5xN<[+N<[+N<[+..%+O<[+i.&+L<[+i.6+@<[+.3.+L<[+i. +K<[+N<Z+.<[+i.5+H<[+i.!+O<[+i.#+O<[+RichN<[+........PE..L.....J...........!......................... ...............................P......................................p...3...l$..P............................@..T...................................("..@............ ...............................text...;........................... ..`.rdata....... ......................@..@.data...P....0.......$..............@....reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85642FF9-3940-4196-9596-90409AF1CDB4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.380301447514656
                                                                  Encrypted:false
                                                                  SSDEEP:192:UHffmtDCCedSQTgl5BTI8xOr1JSTNvWMQBOb3X7U6Ckpbe5raxPpY7:kfeVC/AlDsi0M8OjrU69qJaNI
                                                                  MD5:C09023C98356FC931A25FCB5E6461B5D
                                                                  SHA1:5644F0E0E5726B6AC8D1BAD0AD0F2DC53B686237
                                                                  SHA-256:D4D534C763D48A9C4E9B023E801D915439C5D2328522C4970BFF3E3FD89EBE48
                                                                  SHA-512:35679D040D74054B7409904571724381AD7D4F621C0D39E30F4868C4EF50CA88A1F311915C1203621032A7E3255F873391F5E575D8A8E96E494540ABE638E37C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.7y..Y*..Y*..Y*.t'*..Y*'v$*..Y*'v4*..Y*..*..Y*'v"*..Y*..X*A.Y*'v7*..Y*'v#*..Y*'v!*..Y*Rich..Y*........................PE..L...U.J...........!......................... ...............................`...................................... ........$..P............................P..H...................................0"..@............ ...............................text...;........................... ..`.rdata..:.... ......................@..@.data...X....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\85FA981B-D6EA-415A-A1D6-675D83C7CAC6.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17920
                                                                  Entropy (8bit):5.715875002478374
                                                                  Encrypted:false
                                                                  SSDEEP:384:fi6MTh4R+EdWix4enuo3ZkNM8OjrU69TD3IBaY7oUN:f6huzWix4bbOjbT2aO
                                                                  MD5:49AD01AFD7A3CD86F924C3F83F79E415
                                                                  SHA1:4D0DFEBE3E0CEAEC50F868DB5C7FC0B593E3504B
                                                                  SHA-256:7F71F14F8D30FCC8E338E0AEAF68A81C1537BA4132FAC638C3D1C5A2E01A5A35
                                                                  SHA-512:E85DE8DFB09544653374688F9C81437F5EA7B5B590A04CBD665E3C69D2663408E6B47967EE5747A99CE914CFEBE50E933126C4604F8EF75603968160BEF0CBD6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.LR...R...R......S...u..S...u..\.......V...u..U...R.......u..[...u..S...u..S...u..S...RichR...........PE..L.....J...........!.........*......S$.......0.......................................................................G.......9..x....`.......................p..,...................................(5..@............0..|............................text...k........................... ..`.rdata..d....0....... ..............@..@.data........P.......:..............@....rsrc........`.......<..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8817838B-4E9E-46B5-85F9-178A97C6EF4F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.704041085726467
                                                                  Encrypted:false
                                                                  SSDEEP:192:QFo3/Tia6itNBpmzNGIKFAwnHXiG4qyWMQBOb3X7U6CkpbiASXtmxRJvbmM3wFYu:Qq3/Ga64QNdiACXiG4wM8OjrU69mvr
                                                                  MD5:251D4A1A74222DA72470121FEFB93904
                                                                  SHA1:ED3773A38A25705042A8CC91E41D323352984585
                                                                  SHA-256:63F53538451657E07F1B53CBCBC22FF68CFFDCB885DF545D41BC7464C6BB3A82
                                                                  SHA-512:083A8E43B095611B1D8E516A5DF83F91D2E5AB5C320F227F777F47C7817DE597CDFCADBAAAA70158E81AC1E9747870B65C777DD1F580E8D391CB097F65373E7E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9a..W2..W2..W2.t)2..W2'v*2..W2'v:2..W2..2..W2'v,2..W2..V2K.W2'v92..W2'v-2..W2'v/2..W2Rich..W2........................PE..L...Q.J...........!......................... ...............................`......................................./......<%..P............................P......................................."..@............ ..8............................text............................... ..`.rdata....... ......................@..@.data...P....@.......(..............@....reloc.......P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\894B077B-D372-4166-8F39-F188F9C3C237.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14848
                                                                  Entropy (8bit):5.7262049911272666
                                                                  Encrypted:false
                                                                  SSDEEP:192:DNnUYB0ZYpUsQLiisoGvQJTXvWMQBOb3X7U6CkpuAzpeuEvzg:DNnUW0ZYVzis/vkCM8OjrU69uAI3v
                                                                  MD5:2DAAFB29918109B9EF0AA01B3B48BA60
                                                                  SHA1:99747B65AC0039C88C62D8F73C8EC632020BF6C8
                                                                  SHA-256:C6A4C0C2C1BB317681CFBDD80FCA8459821518B020B5520A8BEFD4F2E61B033D
                                                                  SHA-512:3C67A5763CEF5D9AD878B7E6BFCA0167EA7B893F54B3B3C8E98708B6F83269C9DBDA1777606AE2D2A9F8A2AD541D0E682CD22F564FD51B6164ACA77F0FA6C729
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9...9...9....W..8....U..:....U.6....U..?......<...9...z....U.?....U..8....U..8...Rich9...........................PE..L...t.J...........!......... .......".......0...............................p.......................................@.......5..x............................`.......................................2..@............0.. ............................text...+........................... ..`.rdata.......0......................@..@.data...|....P.......4..............@....reloc..0....`.......6..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\89E051CA-4273-4EB9-89C8-5FD0CDA1B026.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):6.08028701237655
                                                                  Encrypted:false
                                                                  SSDEEP:768:HcxiPbu7yGjjLSflfE5qRwAwQwbgM2bOjouPj64Mm:8xiPbBGXLS5EkR8JbgMYOjnj64d
                                                                  MD5:CB07115BFDD03D72208D3CE629EA7E13
                                                                  SHA1:71F8F3357EEDFAF51B7DB024B58AB3732169E318
                                                                  SHA-256:FD8405793F9E775747094E689BF8DA66C54A256347300D9514960E2D1634D235
                                                                  SHA-512:4C2806660A3C3564E6882C902A8CFFBC79375A2C497001993AF6C247BD8FF8504C1C24A35C526A6937C565CA7E5F4DF764A3028227BF688BAF90616B0F4574C1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x[...5@..5@..5@..K@..5@..H@..5@..X@..5@..N@..5@Z.h@..5@..4@..5@..[@..5@..O@..5@..M@..5@Rich..5@........PE..L.....J...........!.....2...@......Q:.......P......................................................................@v..F....]..................................T...................................XZ..@............P..H............................text....0.......2.................. ..`.rdata...2...P...4...6..............@..@.data................j..............@....reloc...............l..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A5B6098-82B6-4BF0-A6CC-C36770E10685.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10240
                                                                  Entropy (8bit):5.573873817564309
                                                                  Encrypted:false
                                                                  SSDEEP:192:SiWBQaz6vKNOfc0sQsoK0JTWMQBOn3X7U6Ckpb6IvpZ7tV:STBWiNOEOszM8O3rU69O8
                                                                  MD5:9553698B13606C4186A09D14796DDB4C
                                                                  SHA1:0538EDCD73F3887E29224FC89A1AE996376C261C
                                                                  SHA-256:4F8B2B6580E4740B6C0E0144BB93FA1F518A9F2DD95C07D4E0F7723867227A43
                                                                  SHA-512:DCB35DDECE3C823E55893794E867E3B737493C445158A3CF32A024446F0B8182E81BDC2F4860FDC4A16AE6AF8FB4D6C69748FC98D5525157C54FF433C086D581
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..}$m..$m..$m......%m......%m......*m...b.. m......!m..$m..em......"m......%m......%m..Rich$m..........PE..L...y.J...........!................^........ ...............................P..............................................l$..d............................@..L...................................("..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...X....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8A6078ED-69D4-4DB4-9ADB-A3987B26369A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16896
                                                                  Entropy (8bit):5.800159334364939
                                                                  Encrypted:false
                                                                  SSDEEP:192:tSiLYqASNmB46pttpNruO+FvkUXbF7biib7tWH2uo8ruvWMQBOb3X7U6CkpIuvF6:0icn1tt/rrJIbUi18xM8OjrU69IyK
                                                                  MD5:A5380EE36AFCD12875A7D8839B2E09FC
                                                                  SHA1:1D6869026A34481F0644432AF9F3872C7F35361C
                                                                  SHA-256:E12467FA257703E485420FF490AF1AD9BABF0A1487ED9A61096D2390F3D7D00F
                                                                  SHA-512:EA05AFF64C754E9D8F1A0D8A7092B3EE6824BAC7DA0A0D37A19F87F5D3546C4BD8704240A66219D8868F46CC7BBA5D6145992FE8440E142B0D97C0A90A83A71F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>..C.c>..S.c>.flc.c>..E.c>.c?..c>..P.c>..D.c>..F.c>.Rich.c>.................PE..L.....J...........!..... ..."......f(.......0...............................p.......................................A.......5..d............................`..$....................................3..@............0..8............................text............ .................. ..`.rdata..,....0.......$..............@..@.data...|....P.......<..............@....reloc.......`.......>..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8B959D25-5101-437B-A908-359E2AE36CF2.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.66119383531949
                                                                  Encrypted:false
                                                                  SSDEEP:384:P3vbx5659fzZCTowQwOgHBM8OjrU69MUiXSmGtG:P/bx5659fzZCTowQwOgHBbOjkUiXSmG0
                                                                  MD5:7C6F86B3F579D871A26BD23118E766E3
                                                                  SHA1:BB74E1D8EFB48759234F40FA73922DAA3C0B2D52
                                                                  SHA-256:2173FE09F6942E7D99CA60A3CCB3F7352D85B3A57E5EB4610E3E209609E1D005
                                                                  SHA-512:3208ADA8D0E880515EB6C6A7D651B6AFAED706F91E80FA6DCE75080630DED59E619C6795F493F35A5EF22E80E146C399AEDD950E92541F1A4F5B537A411A2B33
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x..x..x......y.._...y.._...v.._...p.....}..x....._...~.._...y.._...y..Richx..........PE..L...$.J...........!.........(............... ...............................`......................................P;......|&...............................P.......................................#..@............ ...............................text...;........................... ..`.rdata....... ......................@..@.data........@.......2..............@....reloc..Z....P.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BA3FB7B-C452-4ED1-BAC4-529877249C28.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):5.780452194535891
                                                                  Encrypted:false
                                                                  SSDEEP:384:rsEUEasd69YfV/HoXHM8OjrU69V473sV:ITXsd69CVgXHbOjt478V
                                                                  MD5:786DEE932C984905EE0D69D5EE5D5B6F
                                                                  SHA1:DD8FDC9ECF6C2AF5E5D25DF800F6438ACE3B1255
                                                                  SHA-256:CDB270AB64774F7262E60AB6ABE2B065BA2FDD15A26F91AB36149F4F66D3E5C1
                                                                  SHA-512:A4F9D35808C1002E29F686AD98931A3533CD3262711EF5AEB56714863DB20ECF6E9A941EBF0E3F7FD4D63C67D6D4B0807EE973E419B6EDC6F2C5F10D57258896
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..y...*...*...*.t.*...*'v.*...*'v.*...*..*...*'v.*...*...*...*'v.*...*'v.*...*'v.*...*Rich...*........PE..L...d.J...........!.........................0......................................................................pP......47..P............................p......................................p4..@............0..$............................text............................... ..`.rdata..."...0...$..................@..@.data...x....`.......:..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8BB8F3A3-58FA-48A5-BDC3-E984862BABBE.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10240
                                                                  Entropy (8bit):5.5552143696501926
                                                                  Encrypted:false
                                                                  SSDEEP:192:UHQpI10Sj4KCwIehV8BnT7d/TWMQBOn3X7U6CkpbFkHrpiO6:kQpITj4OIe2ToM8O3rU69Jcd
                                                                  MD5:02F2E67CB853F7953A3C9A678FE09AEF
                                                                  SHA1:A2F734DBD460568A30F4B9313C2B8E52CD90E6D0
                                                                  SHA-256:AB4B6E37ED4B9A0ED4B05DFD9A4F99788E868F28831C8795AFE455848113F3A7
                                                                  SHA-512:03B99539D2634789F277149F4356BC06A942A8E74AAEDAF190B32172F2FEB17EEE39612E697B69CEB14ACD5C75C6D1FB256341115976C62D5512B8036735E115
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.7y..Y*..Y*..Y*.t'*..Y*'v$*..Y*'v4*..Y*..*..Y*'v"*..Y*..X*A.Y*'v7*..Y*'v#*..Y*'v!*..Y*Rich..Y*........................PE..L.....J...........!......................... ...............................P.......................................-..v...L$..P............................@..H...................................."..@............ ...............................text............................... ..`.rdata..V.... ......................@..@.data...P....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\8C3D0983-CC73-4A3D-AB5A-9D40D9FD6E1D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):35328
                                                                  Entropy (8bit):6.2850063230061
                                                                  Encrypted:false
                                                                  SSDEEP:768:YhjCt/9qBm5pEO8319LVOaWBnrZQhvIybOjjWcH/B:YhI9em5pu31ZVfmrZQZOjj/H
                                                                  MD5:A55F54CD0A74D6AEE7C650A673906FE9
                                                                  SHA1:BF107CC8D260A4C9BB77D511F961C57515051E4C
                                                                  SHA-256:1839EA174D192733F0ECF168B73CA0747690B33DBA900D73EC89E832BBB7733E
                                                                  SHA-512:1CCE169DB81B4520561A29E91A5E50C815F448755E23D803503F80F85907AF421F149E0AE71C05FACB55B171E3AA4104927AB09F8AB136EA666A4D05EE1D689C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ml4.).Z.).Z.).Z...$.(.Z...'.*.Z...7.&.Z...!.-.Z.....,.Z.).[.s.Z...4.!.Z... .(.Z...".(.Z.Rich).Z.........................PE..L...(.J...........!.....Z...0.......b.......p.........................................................................."....w..d................................................................... t..@............p..x............................text...kY.......Z.................. ..`.rdata..."...p...$...^..............@..@.data...|...........................@....reloc..z...........................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\95117CD9-4859-4C6E-BC58-4F817E9D5D4F.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.726494495421484
                                                                  Encrypted:false
                                                                  SSDEEP:192:3/5Q5+bERI9c77te5ddckNC7rE6r9Hy10jTWMQBOn3X7U6Ckpb8O7GJWjV:3++bhlpC7rtHy1TM8O3rU69A+GQjV
                                                                  MD5:64B0DDBB320EA8440B591DA4E6D36D75
                                                                  SHA1:0792147451AB4B3F45E2518AC940E99590B77794
                                                                  SHA-256:B4C5C6BD76A7DDD4E27FA7E15C3113203F3E51D62B8DA73C5FEDB8C7F7426569
                                                                  SHA-512:76F52E0C16F176E9566556427CB7F31A4FE9B8866A6DB28BA6F40B621E360E41DA7B2D49430BD5809044F5A31FCD9E901241B8D8E911EA6F3FF2859F8305EF1C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>.C.c>.S.c>.flc.c>.E.c>.c?..c>.P.c>.D.c>.F.c>.Rich.c>.........PE..L...k.J...........!................,........0...............................p.......................................A......\5..d............................`.......................................2..@............0..D............................text...+........................... ..`.rdata.......0......................@..@.data........P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98012B2B-BF6C-4D22-BEDE-267F5901889B.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.752935060882783
                                                                  Encrypted:false
                                                                  SSDEEP:192:fNqdc1PpLZZocBBa3bUKuHOEgPlncEcTWMQBOn3X7U6Ckpb7qpV7A:1qy1BLzDBqRcy9xM8O3rU69a
                                                                  MD5:6DF5E77ECBFD747B5864476C346C974A
                                                                  SHA1:7444B50FDE58256140F961401F5601950811CE67
                                                                  SHA-256:76ED07E289D7B129894B55D0EC37DDF440CDBEDCF107586A02AAF22D9744E832
                                                                  SHA-512:D8D4E21CB4B58135578E597F4B8B76537C158F8D913D0980F06763DD1D9938AB34D1B305BCFC98892DB3A28D679447CCE23E8516B3885383FFB8C14456E37386
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^)t..H.^.H.^.H.^..d^.H.^=.g^.H.^=.w^.H.^.GG^.H.^=.a^.H.^.H.^IH.^=.t^.H.^=.`^.H.^=.b^.H.^Rich.H.^........PE..L.....J...........!......... ...............0...............................p...................................... B......|5..x............................`.......................................3..@............0..`............................text............................... ..`.rdata.......0......................@..@.data........P......................@....reloc..D....`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\98813502-F9E2-4DDD-BB21-02762CF9583A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.66916276011648
                                                                  Encrypted:false
                                                                  SSDEEP:192:C4gmOatLM4c0A26oZ7AEQ6q3hlqL8/TWMQBOn3X7U6CkpbBu/pIpJ:C4bOaton0A+Z7KRsLbM8O3rU69N+Y
                                                                  MD5:EA531676D6F3B38235FB1AE3D463AB48
                                                                  SHA1:707AE7EE53A691B23A1B0B8CD6ACB756FB54D045
                                                                  SHA-256:603F246C7314DB87AC76E381256C9E0901838550A41527B67E76260B0A9EEA54
                                                                  SHA-512:6D64D5CABD3461A65158E18FBA1217E91E640623A6AA9234236BA2A0937D32FDC11F5A852156AF75C1863E3819DB56B27A627907A63B23828D23B84A26B01199
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<s+N<s+N<s+...+O<s+i..+L<s+i..+@<s+.3.+L<s+i..+K<s+N<r+.<s+i..+H<s+i..+O<s+i..+O<s+RichN<s+........PE..L.....J...........!.........................0...............................p......................................@?.......4..P............................`.......................................2..@............0.. ............................text............................... ..`.rdata.."....0......................@..@.data...`....P.......,..............@....reloc..L....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D045960-EAC2-4C40-9BBF-10F32F7FA305.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.714708425475011
                                                                  Encrypted:false
                                                                  SSDEEP:192:PnDi3tvhKy5pjnWRIClT6coQHigmyyWMQBOb3X7U6Ckpb/1XoJNlb:PnDi3tvhNLLuBlT6gigfM8OjrU69zSN
                                                                  MD5:DF0EB1E0D587E4E770F90C2B414A9882
                                                                  SHA1:D97DF74B938BFE6FD9CED577700B4237CF854674
                                                                  SHA-256:AAFB9283540E3757C55325A96FA7279E7789525A04CBB4FA2A4992CF294825EE
                                                                  SHA-512:0C1503C294B3F2D4D42AEB02CD77FAFDBA9B03E15131E688FDA2431DCF7E045E514223CE6FE0FD6AA088760BF049C81030B067501F66E58CD4E455F225D9B5B2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+........PE..L...j.J...........!................Z".......0...............................p.......................................?......<5..P............................`.......................................2..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...`....P.......2..............@....reloc..>....`.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9D28CD4B-2103-4E99-B1EE-C338242E165D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):6.115734453666887
                                                                  Encrypted:false
                                                                  SSDEEP:384:DA71Tnx9BFZYDNVhcP8zc9gzDoD993iMxrM8OjrU69mcP:Dwv9TZY5VhcSc96DoRbOj+cP
                                                                  MD5:0CA701C8FCF5AA614ADF2786B7013EFB
                                                                  SHA1:C8C699536D89C9A7BFD8F4EEEF95597F70117F44
                                                                  SHA-256:FC2BED38B0BC89E91DA69F814F5036BB999AECEAE1ED42FB834B4D00AA027652
                                                                  SHA-512:36F99B3165B25F9B4967D75EE0E5A503FAE1AC32A53966ED9EA086C9B3C90161856A9C51E99768CD67114379C878576B9D7B15FB0EF02349B8780B77B61AAB07
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..@n.v.n.v.n.v.....o.v.I...l.v.I...`.v...+.l.v.I...g.v.n.w...v.I...h.v.I...o.v.I...o.v.Richn.v.........................PE..L.....J...........!.........2......_(.......0...................................................................... R.......7..x............................p.......................................4..@............0..$............................text............................... ..`.rdata...%...0...&..."..............@..@.data........`.......H..............@....reloc..Z....p.......J..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\9E2350D9-A93D-4CC1-BCCE-930A60AF14A4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.392930664998236
                                                                  Encrypted:false
                                                                  SSDEEP:192:/y0M8bsum3NH3GFZac01zJNWMQBOb3X7U6Ckpbpx5GApnR:/y8bsNH32Zac01WM8OjrU69lPd3
                                                                  MD5:FD040E75CE76E21AEB97B12A193EC58B
                                                                  SHA1:EBAAA7B306FB563B1294C51DE703CF7DAC411029
                                                                  SHA-256:4A0A959DEACC9CFF18FC75C61B471E13181863B8B60C59A56F80FCF68CF3EF13
                                                                  SHA-512:C98CD3A9C089ECE266F6692236405EE61F2700B0377EB1651DD183864DD6598C2DCC7A9F0FE541CFB84A38BED98AF541646E7286E403880D4235F25EA7F8FF76
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.1y.._*.._*.._*.t!*.._*'v"*.._*'v2*.._*..*.._*'v$*.._*..^*C._*'v1*.._*'v%*.._*'v'*.._*Rich.._*........................PE..L.....J...........!................7........ ...............................`...............................................$..P............................P..\...................................."..@............ ...............................text............................... ..`.rdata..G.... ......................@..@.data...P....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A1617BEA-2E4A-4A92-B235-509245665AFC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.6467886463542305
                                                                  Encrypted:false
                                                                  SSDEEP:192:mQguqqFuAlpLsQs8A8CgsRUeBmifUzsjTWMQBOb3X7U6Ckpb8z3V9avpNO:mI7FuAlp9s9QQZfU3M8OjrU69AT7avb
                                                                  MD5:5B1F71826C1A922B1E914CC85F4B2F49
                                                                  SHA1:6997377DBF57B3ED61679131924692788614F369
                                                                  SHA-256:5F98FD5CAA23E91DF2687E0351464807BFA509BAD053DE985E03AD147C85709D
                                                                  SHA-512:495FE92DC8D5493A59A7B5A31E4681EB71F3CE6433D6AD6B9180C4AE953E72AAB8434478F8ABDAEB9FBC56AA49D6323C51E5DCDAC42EEFCB4597ACA14ED99F8A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9...W,..W,..W,.t),..W,'v*,..W,'v:,..W,..,..W,'v,,..W,..V,I.W,'v9,..W,'v-,..W,'v/,..W,Rich..W,........................PE..L.....J...........!.........................0...............................p.......................................?.......4..P............................`......................................h2..@............0..0............................text...;........................... ..`.rdata.......0......................@..@.data...`....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A19F6C27-85A3-45F3-A17B-9C1107E7A09A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.7523355472607935
                                                                  Encrypted:false
                                                                  SSDEEP:384:z3h8S2cThVGCHx/dX1WNP5M8O3rU69xg/v:z3f6CR/ibO3pgv
                                                                  MD5:A62C4562B752C053BF9684372915E57A
                                                                  SHA1:ABEF7E527CEA3826EF0B98216F89D3630FC0AFC3
                                                                  SHA-256:E7FE0944545299355F5CDB72805181165E0A0B70E8C2E4F4CC97C2C2DDEBA696
                                                                  SHA-512:4973D5056A55219600CCF869DC3CBE5C803D24ABB0EE08434429A1E8CA20892CAB4E275316FE54127C6E1749BDC289C090861636EA6AF84A405948556CF4A463
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3..3..3...Z..1...X..0...X..<....1...X..6..3..p...X..5...X..2...X..2..Rich3..................PE..L.....J...........!................L........0...............................p.......................................A.......7..P............................`.......................................5..@............0...............................text...K........................... ..`.rdata..a....0......................@..@.data...d....P......................@....reloc..$....`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A488E6B9-0DA7-4E32-A2E6-0510CBE81B41.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.452727243813498
                                                                  Encrypted:false
                                                                  SSDEEP:192:UHYGTuGaasn83GCw461JcR3K5TWMQBOn3X7U6Ckpb9B7pC:kYGTu2sn83S46S3zM8O3rU69Rx
                                                                  MD5:019FCF49753AAD58EA85D0DD880EBCF2
                                                                  SHA1:B423E5C93243664DEDDB84E6B6200F301C7AD802
                                                                  SHA-256:9899B828A27A2957A879D972DBBA81C2C35011B1B1991562F6C8F26AD9FB134B
                                                                  SHA-512:00BEA9C27467FE7E27CDAB2FCF1E1413D69CBD43E5683B25E1F02D4ECD8024FACE293B7CC9918269E13C53A58D3A69D8B1FDC47CAA54F6FD6CF92481DBB467C6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.7y..Y*..Y*..Y*.t'*..Y*'v$*..Y*'v4*..Y*..*..Y*'v"*..Y*..X*A.Y*'v7*..Y*'v#*..Y*'v!*..Y*Rich..Y*........................PE..L.....J...........!......................... ...............................P..........................................o...\$..P............................@..X................................... "..@............ ...............................text...[........................... ..`.rdata..o.... ......................@..@.data...P....0.......$..............@....reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\A550BB21-BE5C-4675-B53E-3FA246F76538.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):81920
                                                                  Entropy (8bit):5.73472837854192
                                                                  Encrypted:false
                                                                  SSDEEP:1536:CoyeQh7K4tO1irlC7A+luMwivvl6rs8PMX3J5tnijtiOjZL8vS:CoaRvkqQ78PMX3HtnijtiOjB8v
                                                                  MD5:FE02F50B37224A4680FFA0ED151158ED
                                                                  SHA1:F65620975DCD22CD7B218EEB1341076C47FD4E1A
                                                                  SHA-256:B4848746E583509D4C1BEE1C4A1B75E2DE29C95A27856AFA32A8DD6F22B38EB2
                                                                  SHA-512:4C6871A7680BBF8E2F8A0CD180A60BFC9EFF285158C05C1AC55306EA8071C434609C7D0CA9E78905C2C19F783F25485259F59F6F32EC7FFB78243D5E08C238B7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$X..J...J...J..)4...J..+'...J..+7...J..+1...J.S.....J...K...J..+$...J..+0...J..+2...J.Rich..J.........PE..L....[.J...........!.........`......1........................................@............................................................................... ......................................p...@...............l............................text............................... ..`.rdata.../.......0..................@..@.data...............................@....reloc..z.... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA15B5D1-654C-4C0A-BE3B-EC3E5890D88A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.606119032620565
                                                                  Encrypted:false
                                                                  SSDEEP:192:t3U5d6UOcPFGLIDTkXBpZwTWMQBOb3X7U6CkpbuKgMgKpjL+J:dUvtP9DUBplM8OjrU69aKeKByJ
                                                                  MD5:92A5B700AFE893FDB3369887B1DF65EC
                                                                  SHA1:99F7C36620439D3481824297F0FC15652670E926
                                                                  SHA-256:B8327FDB275E0109087A366F9881AC99A1EF509369260052567B0405211E5C0E
                                                                  SHA-512:03F84ECA963755116E14302FD79883A366B715FA77B36959BBA2320089520E2401BEFD7DB1FCB6179DDA84604133651FBCC65BCF13679488730E809BB7F6F5EE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>..C.c>..S.c>.flc.c>..E.c>.c?..c>..P.c>..D.c>..F.c>.Rich.c>.................PE..L.....J...........!................,........0...............................p.......................................@......,5..d............................`.......................................2..@............0..8............................text...+........................... ..`.rdata..W....0......................@..@.data...|....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AA393DA1-CDFA-4C96-8490-DE024F8FDABC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):5.319867706614236
                                                                  Encrypted:false
                                                                  SSDEEP:1536:4h5MbWn+OXfKCEE7mZj1r2BDRx9BXY6OjS2s:4zMb+KCwhUdx9BX7OjS
                                                                  MD5:5D459A597BDB2234016BDDF95A954525
                                                                  SHA1:563832EE088A747579ADCCCC85C7083144736CB0
                                                                  SHA-256:1373420563733BA9FC6F3D6827119B485FD5046F8EA0E5312F77D0B866311B8E
                                                                  SHA-512:E3004A8392A4F51764D7BCF3AC729DECDD6FD6962260F2E0F620596E325A71E315927CBAC503D79E2A278FB1F33C7E95A57393CB9BD056E4BDCC5E7D52F2A5C1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................1......3......3......3.....A..............3......3......3.....Rich............PE..L...1.J...........!.........P......................................................................................@.......,...........................................................................@...............p............................text...K........................... ..`.rdata... .......0..................@..@.data...8...........................@....reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AB37DFCA-32A2-4A4B-9DD9-09282EE3037A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.752023594361412
                                                                  Encrypted:false
                                                                  SSDEEP:384:f/K2pacL9sIhEXPJwYXM8O3rU69T5Fa/:HK2p79smEXxwYXbO3b5s
                                                                  MD5:552E4BC733B43DAD6A981ED2DE98C2A4
                                                                  SHA1:F621625D8F277D668EACCF45DC5259EF33FA2AD0
                                                                  SHA-256:72A0493CE49569DDE60BDFF152DB2C69B430F7CA723346A88F88BE3DAB9071FA
                                                                  SHA-512:6F7FC1EE2903B2B6B7DE125AEF05CF369353997B029699F7847D50923BE6A576C794174870C5252E98783C74109D4073965345DB5816A4EFC610F1E4EE386B3F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At:...T...T...T...*...T.".)...T.".9...T.......T."./...T...U.B.T.".:...T.".....T.".,...T.Rich..T.........PE..L.....J...........!.........................0...............................p.......................................?.......5..P............................`.......................................2..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...d....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AC73F78E-667D-4DB5-B22B-BCA1D98A1540.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.548554550981031
                                                                  Encrypted:false
                                                                  SSDEEP:192:vLb6bF4lURvziNPE2FUTw/TWMQBOn3X7U6Ckpb/P5dJJqVnU:vLbX2cNPrsM8O3rU69zPrn
                                                                  MD5:ACE60FBBD055DFBCEDCE2504318D7AFC
                                                                  SHA1:5093BC60DDD23DB63A84B5DF96E8C5D7BF40F592
                                                                  SHA-256:65C26039A1E1E7C605902E55B57BB19FB30C8F60FCF21E73644DECBD6FEB9BE1
                                                                  SHA-512:66ACA444BD09BE4D8484FDAD5BFFECA98BEEB904BE76756F41371AF56D5E46C36766AEAB16E20B489DEC4CC4622838A4330A52F40D01DC56ADD8B849B0E6622E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................."....."............"........D..".....".....".....Rich...........PE..L.....J...........!.........................0...............................`......................................0>..Q....4..P............................P..|...................................82..@............0...............................text............................... ..`.rdata.......0......................@..@.data...T....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\AE617852-4B25-44C1-920A-01A53B2B5EAB.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1347584
                                                                  Entropy (8bit):5.374625541426377
                                                                  Encrypted:false
                                                                  SSDEEP:12288:RHZt7XyX4uUGABoRaypLr7ed0yWi+V5BeH0At2bxm:R5xIUGABoRaQr6db0At2bxm
                                                                  MD5:C1C1CE1CAEE381BACFA1CA2A4947AB1D
                                                                  SHA1:20CF5A624D3CE57E1856BF8B5F4AC4642DE910C4
                                                                  SHA-256:E1294BE4CDD1589F3E2F4106ED38E6D0778A565F663DEE92AC32C714574C42A3
                                                                  SHA-512:EF9A6F17EDE1B5940044D9E44743F7B334127D1D2471D0749ECDD95ED9E81382646561ACD85179A6B0B516140DACFDE2D1C3B7D46028F568C977E9E3EBBE9F7E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.\b'.21'.21'.21.f_1(.21.fO1".21.dL1&.21.fI1..21.o1).21'.31%.21.R1%.21.f\1,.21.fH1&.21.fJ1&.21Rich'.21........PE..L.....J...........!.................................................................................................U..............................................................................P...@............................................text.............................. ..`.rdata..............................@..@.data...p2...`.......`..............@....idata...).......0...p..............@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B028B538-D554-434B-88CE-AA79A717C396.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.78375074935434
                                                                  Encrypted:false
                                                                  SSDEEP:384:1EJBO9SgjO4GSx1/AE/M8OjrU6LBUF3/XQ:1EPOsgjO4GSt/bOjLUF3
                                                                  MD5:EDB4573EFA8BFA980F2A11DBF8580C92
                                                                  SHA1:1D1E896B6156E3887F58B2B39FDDC2003D78062D
                                                                  SHA-256:691A0BC01DA21BA71B9ADD3B4812E7368428909CB5B5CD02A169A2868D4707B0
                                                                  SHA-512:B7470709BA3C15F89F3EE84670B27C28A5C50C0B49F25A5DDC5B809A09E72014B655228F782AAFB1E8B72BBC1EE5DDE8FA4A54A4791CD2492349195FAB4B603E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.^.).0.).0.).0...N.(.0...M.*.0...].&.0...m.-.0...K.,.0.).1.a.0...^./.0...J.(.0...H.(.0.Rich).0.........................PE..L...z.J...........!.........................0...............................p.......................................?..0....4..d............................`.......................................2..@............0..0............................text............................... ..`.rdata.......0......................@..@.data...d....P......................@....reloc..D....`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B18ED5B7-4FAC-4C2B-840E-58BEFB419617.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):6.092351697685807
                                                                  Encrypted:false
                                                                  SSDEEP:384:1UtteL/+Rp3Yefy5yq621jnhWwcwQwOgsM8OjrU69zfQ6GNOkpmkE:1UmL/aoUxg1jhWwcwQwOgsbOjbfQ6Gcw
                                                                  MD5:DF818FED0BE379A8025C56F2B6909A95
                                                                  SHA1:CB6187CE25B3B2526426B36C06AFA967873C9AF6
                                                                  SHA-256:CD837389958D4C5DBACC475770CE7739DDC31181555D5C039D659464B68FC519
                                                                  SHA-512:BCC2DB481B323B01A7D67F4BBA150E6D482AE2AA0F12D7FF9025AC40A76ECA770925D840C30568A9C97A20C7721C02A9D6001135209CF8A0E4EECF56E965C208
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\j..29..29..29P.L9..29..O9..29.._9..29..I9..29..o9..29..39..29..\9..29..H9..29..J9..29Rich..29........................PE..L.....J...........!.....&...6......./.......@.......................................................................a.......J..................................L....................................G..@............@...............................text....%.......&.................. ..`.rdata...(...@...*...*..............@..@.data........p.......T..............@....reloc...............V..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B420ABA8-6E6B-4A31-82A2-CA5AE2B66577.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.629595628551682
                                                                  Encrypted:false
                                                                  SSDEEP:192:9Y0qM0B6w/YJPBcD2RJvWMQBOb3X7U6CkpbDfaB8rQp6:9Y0qM0wJpcBM8OjrU693fu
                                                                  MD5:34503C1037E1E5A92DC03CBAB15C11D8
                                                                  SHA1:81191FAE0B3A06CB376F2EF6D7624997A9048684
                                                                  SHA-256:60142A9EC81D3521D48A03EE16BF6AF0C928F8BDD932E02D0A2E5DE88C1F1890
                                                                  SHA-512:D1A0794BF6AEF9E40718F39C4DF97BE83482409ABC7E2D2825CC5F6E9B3E84A953E8B0A5C86AC20082CDFA800DD71EAE127E3662BD94F5E0083FB4F51A7CCEDC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9a..W2..W2..W2.t)2..W2'v*2..W2'v:2..W2..2..W2'v,2..W2..V2K.W2'v92..W2'v-2..W2'v/2..W2Rich..W2........................PE..L...f.J...........!......................... ...............................`......................................./.......$..P............................P......................................h"..@............ ..8............................text...[........................... ..`.rdata..y.... ......................@..@.data...X....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B6225961-01DA-463D-B5F7-3AD6541F5BD8.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14336
                                                                  Entropy (8bit):5.648342300536825
                                                                  Encrypted:false
                                                                  SSDEEP:384:0qE5RBPlmz+if+QtVqV4SwSM8OjrU69sAM4:0vjPEDGQtVqV4MbOjEAM4
                                                                  MD5:AAAEAAB1FACE9462B638DB7157A9B73A
                                                                  SHA1:62A79FFBF9A00A0F9960AEEDD69C864443038D90
                                                                  SHA-256:8E693D1EDD59B002E868C844A179DFB95FC5BA16DE60B0FA32D734E91BBC1FE5
                                                                  SHA-512:246564C954BF045526707DE0265EAC9F96F355FF89A02B3764D05589B1C3FEED25DEB3501D8FA59A961769FEDF8818A35BDD1C94065919923C3454AC75C16A9B
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................."....."............"........M..".....".....".....Rich...................PE..L.....J...........!......... ...............0...............................p......................................P@.......5..P............................`.......................................2..@............0..,............................text............................... ..`.rdata..C....0......................@..@.data...\....P.......2..............@....reloc..&....`.......4..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\B973720E-2CC1-4F5C-A35A-33A152E2453E.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.399434585799883
                                                                  Encrypted:false
                                                                  SSDEEP:192:QLLN/U8vY8bTJu56H+G5oaxS1BVIKiS0lXTyEc7cT3kT16IgTvWMQBOb3X7U6Ck3:QLKiZoaQVIKcTAwA16IbM8OjrU69Fz5
                                                                  MD5:461FC93D7C1D71D5B5EACEBC3B0EE866
                                                                  SHA1:A7D78FF47137F4E5B55ADD3A1747837A205DF3BE
                                                                  SHA-256:03BEB25E5D93BC7171B8E9C58CA37A3C993F44064F029F2DF528854102FA1208
                                                                  SHA-512:12E48B46D19C2B990058F152C75899FACF1966CA0795D32D9D5712618F469CA3B85592DC4C52EC32FD75B3883A267C34787EB8A34F93EE5390939663BDD59EF9
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............S...S...S5I.S...S.K.S...S.K.S...S.K.S...S...S.Sa..S...Sa..S...Sa..S...S.K.S...S.K.S...S.K.S...SRich...S................PE..L...T.J...........!.....0...,.......:.......@......................................................................0Z......,P..x............................p.......................................M..@............@..,............................text..../.......0.................. ..`.rdata.......@... ...4..............@..@.data...`....`.......T..............@....reloc.. ....p.......V..............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BAC7326D-6DDC-4ECF-B821-6A52C8287DC7.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.589129761501559
                                                                  Encrypted:false
                                                                  SSDEEP:192:H+ZAIZQJB4zRRKNYRF+UpD/TWMQBOn3X7U6CkpbEFeApUg:H+ZXCbNYz+Up+M8O3rU69YJqg
                                                                  MD5:77ADB7C251DBE2F00D05170CA643FEE0
                                                                  SHA1:D2C241EEB09EDDE799D0AF712056A54237F07DAA
                                                                  SHA-256:78A681CD0DC81557E2E831330D076893D93BD0D2E7F1C68972924C2E13A79BA2
                                                                  SHA-512:65F2A581E6F15B2C6DB6174AC905C506EC4EB24CAF922045D38FFD8EF1D84B2A7B0AB7E385466FDCB7815D60FD3FC86F3ABCB052F6B78E09A51060FAEB4187F0
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................."....."............"........G..".....".....".....Rich...................PE..L.....J...........!......................... ...............................`..........................................i....$..P............................P..p...................................."..@............ ...............................text............................... ..`.rdata..9.... ......................@..@.data...T....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BB029F54-D13C-47B3-A75A-B84581CDC303.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15872
                                                                  Entropy (8bit):5.878254437172406
                                                                  Encrypted:false
                                                                  SSDEEP:384:97AspeO1PthoLJa4sAQPM207qMM8OjrU699wzx:97NPfoVaPBlMbOj1w
                                                                  MD5:7E72A07E576064C414F50CDAADC27D56
                                                                  SHA1:83B00ABC959D71743EB555D09E06ED1C2E51E538
                                                                  SHA-256:280E87969EBBDD8B78B65BBAC019156DA57599DE8A62A6AEA4EEC7E376EC7310
                                                                  SHA-512:D8954C8288E4EEE03EAB2B5F88A9ECE72ED98B5BFA407FC74CED7AA1B06CD089ADF5F44C9E97E0313D66EDA981808088B905687BD8C3DAF4A171215A991A48DC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.F.7.(.7.(.7.(..V.5.(...U.4.(...E.8.(...S.3.(...u.0.(.7.).z.(...F.1.(...R.6.(...P.6.(.Rich7.(.........................PE..L.....J...........!......... ......6&.......0...............................p......................................pB..)...|7..x............................`..h....................................4..@............0..H............................text............................... ..`.rdata.......0......."..............@..@.data...l....P.......8..............@....reloc.......`.......:..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BC052C38-2D5D-4F0C-A0CA-654D0AFC584A.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):6.046439604834051
                                                                  Encrypted:false
                                                                  SSDEEP:768:bpfvZW5+druYAAMq40xGph5e4vauhreMozbOj/MpNwYZuwz:rFt5MP5p64vaoydOj6WYZvz
                                                                  MD5:E893E1C69A3DFF6E14DB641E5CA81088
                                                                  SHA1:D5BF86CD0B20391D1EC09A32BB36755AF86CABF7
                                                                  SHA-256:5FC7E4EFCF1981D9A40C943DC4ECE7CB8923855BA99BADC8279439910BD6C70E
                                                                  SHA-512:884368A5426BC9316BEDEC5673D14C4DE54E602E5E9EFDC43FC2D94E81C53C7EBA0D750E3A8A28F700819ABA89874CB9CA18BEDBC771C305D3FF84F5E6C5903C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B\..,...,...,.u.R...,...Q...,...A...,...W...,.!.q...,...-...,...B...,...V...,...T...,.Rich..,.........PE..L...^.J...........!.....H...:......KO.......`.......................................................................|.......m..................................P...................................`h..@............`...............................text...[F.......H.................. ..`.rdata..H*...`...,...L..............@..@.data...(............x..............@....reloc...............z..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BDAC0FBF-AEE8-4E6C-918C-2672F89026E4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.664503712535801
                                                                  Encrypted:false
                                                                  SSDEEP:192:HIQX6bUi4BXurmT88+/jTWMQBOn3X7U6Ckpbbb5p5c:oQAUiNmwqM8O3rU693Fo
                                                                  MD5:FB0807BED946FF01DB72AB45430FFCDC
                                                                  SHA1:254933B8474AF2D9816664B2A354B6103625F3A1
                                                                  SHA-256:FFF1F4ADC432F354BE5108D34FB34B7096EA41B9B71E2979CB0A7ECED2FE24B6
                                                                  SHA-512:230A1F510E6A01B843957D8DA11C2762E61F1E39F987BC3C0771A8044EF5B1005709DDB41E87593F6415D6EEE8E5CB99F295B92539F04E7A8BAC1AADE596ACF7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S..=Z.=Z.=ZyNCZ.=Z.L@Z.=Z.LPZ..=Z-.`Z.=Z.LFZ.=Z.<Z..=Z.LSZ.=Z.LGZ.=Z.LEZ.=ZRich.=Z........PE..L.....J...........!......................... ...............................`...................................... 0.......$..d............................P......................................x"..@............ ..,............................text............................... ..`.rdata....... ......................@..@.data...x....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE69CCC4-CFC1-4362-AC81-767D199BBFC3.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.598345465782028
                                                                  Encrypted:false
                                                                  SSDEEP:192:y/7ZxsuKpi6/a7CMRUBm98QmCoLgxCc9JNWMQBOb3X7U6Ckpb91cpZzg:y/dxsuKE6SWMRt9aRJBM8OjrU69Riw
                                                                  MD5:9D9E38709CB85D897A02D4E040F3C699
                                                                  SHA1:76679A1F68C8A97D829F134DCCE655AC2E936D4E
                                                                  SHA-256:F310A009DF9CE42B31CBB258F2B89884732F32B81378E2758A79506C27CDB2BD
                                                                  SHA-512:D2D28DF91B1711D82BC6F33097B685E278BAC1475A2879DFFAE1EA40E232BC568C2F6C1BE6CBBA7C5A65F40D162B74EFCE4F37F99A4D480ECFAA8B9062B7648E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+........PE..L...a.J...........!................Y........0...............................p......................................`?.......4..P............................`......................................@2..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...X....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BE8C55B0-3057-4F3D-AB5A-5791EEA8D946.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.722667962520688
                                                                  Encrypted:false
                                                                  SSDEEP:192:rPx4N3uN2dik2C9vKifEEaauIo/TWMQBOb3X7U6Ckpb+vzsllpEEc:rPx4Ewdim9vXfVM8OjrU69Kvzoa
                                                                  MD5:0579905973883D40CE34C98DC3D7CB75
                                                                  SHA1:D43381C45C4AB84B24FF00A5F7367EFDA0758047
                                                                  SHA-256:92761EFC7C158D0002797C852E02B57A24F6E0444B15D5F0F393C47423DFC64E
                                                                  SHA-512:43FD9CE730B67D808BA49705B29CAF94F201F82F3DE74DA2CAB0344EA8D7C51C0B48F72C99EA05BC9035C83A5B1BFCEF3E90072022F13CF8DA9EFB7703A58C0C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..y...*...*...*.t.*...*'v.*...*'v.*...*..*...*'v.*...*...*F..*'v.*...*'v.*...*'v.*...*Rich...*........PE..L.....J...........!.........................0...............................p......................................0?.......4..P............................`.......................................2..@............0..$............................text............................... ..`.rdata.......0......................@..@.data...X....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\BED6EA12-2615-49CB-BBBF-67EE0EC7AF8B.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17408
                                                                  Entropy (8bit):5.943362740809529
                                                                  Encrypted:false
                                                                  SSDEEP:384:MzMwxkmuPpPpTzMOzdk0L1oM8OjrU69owlP8BYkVk:MpkmuPpPBMOJk0L1obOjQwlP86km
                                                                  MD5:A44C28F3CF032A90095BCF0354383CF0
                                                                  SHA1:FCF67956E6C3D9598E637D2567DB8DF7C0CE1DBA
                                                                  SHA-256:2128C919BBAD21D58DAE46507BD6337EA6509DE4A03F46A790A6F3D8999FCE0E
                                                                  SHA-512:164DE63D9667C5A93F96D722A918E4DDE01233F71061B7F9A35A9825C68381FF93A4819CC3E03BAB38DE0663A8A0EFA32D05D828F0E9F5498C2D41714AAA626A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.P.%d>.%d>.%d>..@.$d>...C.&d>...S.*d>..kc.'d>...E."d>.%d?.rd>...P.#d>...D.$d>...F.$d>.Rich%d>.........PE..L.....J...........!..... ...$.......).......0...............................p.......................................D......,6..d............................`..\...................................`3..@............0..l............................text............ .................. ..`.rdata.......0.......$..............@..@.data...|....P.......>..............@....reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C0EF3703-84D2-4C4D-B9FF-BD8ADE7E9AE4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.544861235269491
                                                                  Encrypted:false
                                                                  SSDEEP:192:cOa6clWWhZwtdsia2Y1ouPmQMO4G5ROr/TWMQBOn3X7U6Ckpbh/5p/9O:cOatlWWLa2Vp1fPqp2rM8O3rU69txl
                                                                  MD5:8FF3BDA0B2217367564307DC2DBF5A5F
                                                                  SHA1:6165DDA4AE04F0372EB334A4A71531AD27EF7E21
                                                                  SHA-256:6C666452403E960C2D88B227081C46FA28F0D6F30984F794FAA05D0116A09E5E
                                                                  SHA-512:1EB1AE1DB93326A88EB0E05FB4C816F542C9289290991634E559E1CA237E7DFFC8C130AABD55C5DA6B4BFD0022ED958AE221A6BE890059B7D5AE2FA3E942265C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......At................"....."............"........A..".....".....".....Rich...................PE..L...|.J...........!.........................0...............................p.......................................>.......4..P............................`......................................P2..@............0...............................text............................... ..`.rdata..}....0......................@..@.data...d....P.......(..............@....reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C57A9D3F-0C29-41E0-B11E-BBED4C17AAF8.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.803192605373986
                                                                  Encrypted:false
                                                                  SSDEEP:192:vOvOUayXHN65l1sh9B53weT3orKuHztYPT8hkTWMQBOn3X7U6CkpbTsSCBpSzM:K5H2sT3jJczQWM8O3rU690SCB+M
                                                                  MD5:DC71AA01E4F39150DB389325430C55BF
                                                                  SHA1:4CEDB78A627D86CD3EF0B16840C0864F0F33ACA4
                                                                  SHA-256:F715C0A59F86152FAD96A18734B1FD4DE83ACC5B1708E4A2C33ABE0D8C7C2CAF
                                                                  SHA-512:D9CF3CEFCBC3CF241C46EF00805BC724D780852BAC213838FA43639A5E310B98771FE1F051B9F510D085282F1B74F21FDEF98A58BA7D3444D8F80793F4484646
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................yN....L.....L.....-......L..........L....L....L...Rich..................PE..L...'.J...........!......... ......J........0...............................p...................................... B.......5..d............................`...................................... 3..@............0..H............................text............................... ..`.rdata.......0......................@..@.data........P......................@....reloc..f....`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C664AE43-1451-4760-8A20-38004EDE1C65.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.4378230598107935
                                                                  Encrypted:false
                                                                  SSDEEP:192:6mAUQpkfQuqa8GZPRnWXN0NCNWMQBOb3X7U6CkpbJDW1zxp:6lRp8Qf65nqCNrM8OjrU69FUV
                                                                  MD5:9C193BA31C8F173C9AA42D766FD9A7A7
                                                                  SHA1:4E13F1446C2D2E56CA825BE3AE1AE6535B3A62F0
                                                                  SHA-256:80E776AC877808D8DAABA46FE2678A25ABA70D42C50B2E68D98C55F7EF68B5EA
                                                                  SHA-512:3ACFDBEF4BF60F4A2C3ECD96747852C967F4700109DABB1B9CACA5CB2F9CDDF4A9D43AB62005812E4B11DDD066D7FC14D7C8EA439FDB6A9D27C0B5EF08FCB11A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.2...a...a...a7..a...a...a...a...a...a...a...ac..a...a...a...a...a...a...a...a...a...a...a...aRich...a........PE..L.....J...........!......... ............... ...............................p......................................./......$%..x....P..(....................`..t...................................`"..@............ ..D............................text...{........................... ..`.rdata....... ......................@..@.data...x....@.......(..............@....rsrc...(....P.......*..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\C682A43C-22B3-4CDD-A0EA-CF1B3FAE63D5.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13312
                                                                  Entropy (8bit):5.562280161966946
                                                                  Encrypted:false
                                                                  SSDEEP:384:1UZs803063VFscQvknHrHy1/uM8OjrU6LW7C7YU:1W03tlFscQMnHrHy1WbOjY7An
                                                                  MD5:AA21DB07ADF2F3069F663F47DCE4F722
                                                                  SHA1:1A4B21AC7BA15A93020BB6902E2CBCE51F3D7D89
                                                                  SHA-256:F7EF54F31099DCE6FD10DFBC98F42A1980C20DDDAAC62E538030D3ED537ED689
                                                                  SHA-512:2FAF2061E303B293AAF89EE22524FC8BAFAFE4E0A99C224EF52B6B3F6F3EA10C63ED8A8A998C085829D96B88D05D720A1796E3DE9AFF760E454D248083A2A6CB
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)t.RH.^RH.^RH.^.d^SH.^u.g^PH.^u.w^\H.^.GG^VH.^u.a^UH.^RH.^.H.^u.t^TH.^u.`^SH.^u.b^SH.^RichRH.^........................PE..L...{.J...........!........."......F........0...............................p......................................pD.......6..x............................`......................................`4..@............0..l............................text............................... ..`.rdata.......0......................@..@.data...x....P......................@....reloc..D....`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CBCCC586-CAE0-45AE-9689-F5C179360700.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.510311361579838
                                                                  Encrypted:false
                                                                  SSDEEP:192:UH4FthWnBvS/xNYFi2UM4eWMQBOb3X7U6CkpbtY1wNqJpk7:k4FjWBENsEhM8OjrU69hYfq
                                                                  MD5:6C48C9240E39538CDDFC474956DAAD3C
                                                                  SHA1:0894A41FD6A4118D0DF5F37960C87486FC02C1C5
                                                                  SHA-256:8FD7E712070EE415808E68CAAB97FF5E9D3DE5EEBFD682A27FDB7B90FA8B83D8
                                                                  SHA-512:C23E802CA8666A06BC8DF78A205F853D489316F3EA13C546E33EEF76069BC8E6EAAC3ED260BB5E46776FBB99E27DC1C7D74067C35684D6A81262F751DF7C9CDC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.7y..Y*..Y*..Y*.t'*..Y*'v$*..Y*'v4*..Y*..*..Y*'v"*..Y*..X*A.Y*'v7*..Y*'v#*..Y*'v!*..Y*Rich..Y*........................PE..L...`.J...........!................4........ ...............................`.......................................-.......$..P............................P..H...................................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...P....@.......&..............@....reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CE741BA0-8AE3-4191-9F2E-EF8928892D37.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):24576
                                                                  Entropy (8bit):6.025032093793047
                                                                  Encrypted:false
                                                                  SSDEEP:384:i14XaAwneRDaZpfYoOjWGFvX2z+c2DfTxiM8OjrU69IXwmFQ6j:i1UaluDaZpfDOjWSvXsrbOjAAmFQ6j
                                                                  MD5:DF6268E3BAC2D04F02F01A44CC23B5F7
                                                                  SHA1:5CA305CF0A0FE1AC1B7E41EE1A8E6BCF16AC63FB
                                                                  SHA-256:02B7EC5DC5C225652C72F1EFD041384629B79AFFAFBBC39EB136827DEED0D638
                                                                  SHA-512:9C4848F8EF2C344F3967462B5FA2E77BC3F5B0E02F9025F3B6825D961DD7D0A3E80778D24B2B20573BC9CA3443B56D1C7D06B5B3038FB3A800B3C67A7814B2EC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Md....v...v...v.......v.......v.......v...+...v.......v...w.T.v.......v.......v.......v.Rich..v.........PE..L...S.J...........!.........2.......5.......@.......................................................................X.......I..x....................................................................E..@............@...............................text...k,.......................... ..`.rdata...$...@...&...2..............@..@.data........p.......X..............@....reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\CF3378B6-F19D-488D-9361-9C35F8382722.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.379316824323742
                                                                  Encrypted:false
                                                                  SSDEEP:192:6Fkp2k0p2qogW5V4O5TWMQBOn3X7U6Ckpb9hlp5dRO:6yp2k0pigWA3M8O3rU69RPr
                                                                  MD5:11FA6BE6FE280902140A1745F9AA43B6
                                                                  SHA1:C149639BA0FA2E115E336EA459AC42E56D607925
                                                                  SHA-256:CDCF7F7A8D4FF06F08ADBC3CEEA1DDBB6D13454E92A9ADA77C7BD343602094A5
                                                                  SHA-512:58C7CD105ED2E0938BED6C5500003430C93CB69221C28D3580C731FF91C81BA73AF68AB498FC92953D4A0A752E6AB91289D64093ACCFF34D5B9E1256C4F7B2E6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DQ6y.0X*.0X*.0X*..&*.0X*'.%*.0X*'.5*.0X*.?.*.0X*'.#*.0X*.0Y*?0X*'.6*.0X*'."*.0X*'. *.0X*Rich.0X*........................PE..L.....J...........!......................... ...............................P.......................................-..]...\$..P............................@..`................................... "..@............ ...............................text...[........................... ..`.rdata....... ......................@..@.data...P....0.......$..............@....reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\ClassType.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):3.237605200744871
                                                                  Encrypted:false
                                                                  SSDEEP:192:T7yFTCUNZji4fFAh/F7hse1pB8p/p9VWMQBOn3X7U6CkpbgP3rBi:TGFTCUNZOd7pUhWM8O3rU69Y9
                                                                  MD5:CDE303D9819FC5487E3FB76B0F8DB3BB
                                                                  SHA1:6C96DF80104E82EC3DE1CF28ACBD5DA781BE8F93
                                                                  SHA-256:E7F6F015AC7A41D597ED17E01B1B25E2089AF017289CDFF099A42460756A6C2F
                                                                  SHA-512:8B877642BA401EA3593EF01AFD89A8B223740F064444FE6F279FA02817BF140C4DF0E55577F1A3E65819594DA27925190055D4FC51BDC1B70E0AC31BED7A1016
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.5y..[*..[*..[*.t%*..[*'v&*..[*'v6*..[*..*..[*'v *..[*..Z*B.[*'v5*..[*'v!*..[*'v#*..[*Rich..[*........PE..L.....J...........!.....D...................`.......................................................................r..........P...................................................................Hg..@............................................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data................^..............@....idata...............`..............@....reloc.._............n..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Command2.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):143360
                                                                  Entropy (8bit):5.192652635125609
                                                                  Encrypted:false
                                                                  SSDEEP:1536:rNzhAKNkKkkIgrMZWUYQ02D+Iy2Uor1fZBdJOjYl22:pzhACsgrMZWUYn2DVy2ZfZ/JOj25
                                                                  MD5:05E2D06A38676ED18F19AFFC724C9B4E
                                                                  SHA1:0232F3CE30B5490BE420B19138E4263A9FCE83F9
                                                                  SHA-256:7020547A8CE3ACF638CCD8DB3492C55239ECB5135BC8830A0FBA28C0EAE65EAA
                                                                  SHA-512:241E3CE9D88C567AA0643C83EF9727713DC597ED388D4ABBE15D493574198505131D73C3AB9B86994EED7A2F0EB13A71C55DCCDA6FCC5190FB28BBC233CCB4AF
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$X..J...J...J..)4...J..+'...J..+7...J..+1...J.S.....J...K...J..+$...J..+0...J..+2...J.Rich..J.........PE..L....Z.J...........!.................V.......................................0......................................@...............................................................................p...@............................................text............................... ..`.rdata...2.......@..................@..@.data...............................@....idata.. ........ ..................@....reloc..]........ ..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D01A1329-F854-4AFA-BDDC-70A1CD5AE25B.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.748633505339635
                                                                  Encrypted:false
                                                                  SSDEEP:192:8YzUeg25ItaJq/G/RVD+IWP0XDTwPq0EtaeWMQBOb3X7U6CkpbkBfyRdO:u25I8n5WP0mKcM8OjrU69uyC
                                                                  MD5:D4D4C73D4E109D530B320DAA19DB672D
                                                                  SHA1:A954693B327A05A5A41DA0DD2DB845E78A8D3431
                                                                  SHA-256:64D34941501CD1F8A9C39B2F02A87B131EBB6FD91A5D49A7C1342612A253BCF6
                                                                  SHA-512:872FAFDB9FFBC8FA755554AA8F3E66BA51BEB6CDC782D83569F472CB8B890C9F5B136B3B1E179E8BC60D8D5C6274715AED1537FA85DBEC9662D2468A60E67E46
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..cr..0r..0r..0.=.0s..0U?.0p..0U?.0|..0...0v..0U?.0w..0r..0:..0U?.0t..0U?.0s..0U?.0s..0Richr..0........................PE..L.....J...........!.........................0...............................p.......................................?......l5..d............................`.......................................3..@............0..0............................text...K........................... ..`.rdata..p....0......................@..@.data...h....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D0703B82-CC0F-4B4A-8AFC-08124B0ADA6C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13824
                                                                  Entropy (8bit):5.805296166934405
                                                                  Encrypted:false
                                                                  SSDEEP:384:tEA3p/WhmUBwbnEkHO4SM8OjrU69GNFb:td/WzG4X4SbOjOn
                                                                  MD5:963598D2C411120D82F9E49C0C7CE14F
                                                                  SHA1:950A187FEEA7091A3E45E0B806E73D421DFAD77E
                                                                  SHA-256:7CF4EF5DCB9FC44A152C9365657660EF320C1FAD246586ACE0816712EBFE96ED
                                                                  SHA-512:1DA34A40FE8C14D43618EDF101BABDEC367F7B69C13116F1A8A26CE23B0D0FCC783DAED712BE360D1B4D3FB888B9DA996B81F950100E6F2E45211346FAD436C6
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.cKR.cKR.cK.D.KP.cKuF.KS.cKuF.K\.cK..>KV.cKuF.KW.cKR.bK..cKuF.KU.cKuF.KS.cKuF.KS.cKRichR.cK........PE..L...R.J...........!........."...............0...............................p.......................................C.......6..d............................`.......................................3..@............0..h............................text...k........................... ..`.rdata..b....0......................@..@.data........P.......0..............@....reloc..v....`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D180017B-B44B-4847-98CC-48453821DEAC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.710493825752646
                                                                  Encrypted:false
                                                                  SSDEEP:192:aW3UiHsY56SSYNMvuZfVKvvYbFchn2z9PwnHWMQBOb3X7U6CkpbG+sym:aW3UbSSOMyVxbFch2xPw2M8OjrU69Cl7
                                                                  MD5:1CF1876C439F690C1DBF51B2557D5AC4
                                                                  SHA1:6207F133D25434C56A2DAB70CEE1F38B2C668676
                                                                  SHA-256:9A27C265B0B72D47FB87399A668665B2B430727212B01DB84A5D7DFF293577FB
                                                                  SHA-512:D96EE6DCBE37252ACE91813F3466CF98C228A8DA0668304A8353E6E0FC603CE6F036A9DD3F166D02D7EDA5BEF4A96101F10E3B60650CB5A7142537D46A4B937C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]=xV<S+V<S+V<S+..-+W<S+q..+T<S+q.>+X<S+.3.+T<S+q.(+S<S+V<R+.<S+q.=+P<S+q.)+W<S+q.++W<S+RichV<S+........................PE..L.....J...........!.........................0...............................p.......................................A.......6..P............................`.......................................3..@............0..X............................text...[........................... ..`.rdata.......0......................@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D5DE69E6-690D-4A06-ACE7-96BB143367DD.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):6.139712045897102
                                                                  Encrypted:false
                                                                  SSDEEP:384:jCSnZZ3gYDfFMl5pp3e9debs09ykmLxjz+ochLQrcDM8OjrU690YCzJX:jC0ZZWbspkmLhz+p5bOjsYCzJX
                                                                  MD5:BFF1AEEDEE5A7746C72B67AA349368B6
                                                                  SHA1:A15970FF4CF59B47AAD7471AF231A9B96C954BDB
                                                                  SHA-256:FD1DBA2A8FD8719D8558EC7DACA32EF8B7F5B47FABDF1D69AE2DC59EEFA80248
                                                                  SHA-512:78A16FFC0B079DB195244F5E636B284E067BBAD1DC8088C33AB372D077CA6FFC0360CE781E9BB96DF5B6871B16AD9163FDE1C6E105D90B45CD8F9E04568F8696
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cGD.'&*.'&*.'&*..T.%&*...W.$&*...G.(&*...Q.!&*..)w."&*.'&+.x&*...D. &*...P.&&*...R.&&*.Rich'&*.........................PE..L.....J...........!.....V...,.......^.......p..........................................................................D...$w..x...................................................................Ht..@............p...............................text...[T.......V.................. ..`.rdata..T....p.......Z..............@..@.data................x..............@....reloc...............z..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\D8386F07-7A2B-4DD3-AD23-8470B80B7689.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):21504
                                                                  Entropy (8bit):6.074751230244647
                                                                  Encrypted:false
                                                                  SSDEEP:384:Z2e7yzjTUYH5dyd/jvDIezCDk63kyatNXaExc0nBpj/M8OjrU69/e+nh0:Z1uHS79zv5yatFdj/bOjHe+
                                                                  MD5:2D1259EFF72A7DC7ACD5536197A2AD97
                                                                  SHA1:375DC6C7EDCE4C28E90C72A672C7CE8587349CE0
                                                                  SHA-256:9AB45A8575A17B0ADDD8480AB4C962B5437F058FACFCEEFB319A2664797CA5D1
                                                                  SHA-512:E7F2D3AD3326B91A05BF37A2038ED27055A865DD3844C468D5BDAC3A4305A94C9F5327D900AA477102C6E52FE406C98A0B2F60A56EE360D3E27704C22B1FE558
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..}$..$..$...)..%...+..%...+..*...... ...+..!..$..{...+.."...+..%...+..%..Rich$..........PE..L.....J...........!.....*...*....../2.......@......................................................................@U..}...dG..d............................p..$....................................C..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...`....`.......L..............@....reloc.......p.......N..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD2CD91D-2928-4324-BB1E-36DEC301E63C.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.665570740755181
                                                                  Encrypted:false
                                                                  SSDEEP:192:gT3qYVBQrWbZ3XbtOdBiQziGdnioJTWMQBOn3X7U6CkpbEyXs2Ha6IAbO9:gjPVBTDEBI3tM8O3rU69Yqs2Ha6IAbO9
                                                                  MD5:2D4B1FADAE06F7A7B27423401A9DD5AD
                                                                  SHA1:8527CF9CD54331BA3702A80585D1E2C0939F6A84
                                                                  SHA-256:5E3F7D8696F9516BC719C7643A408195A6247D56362067EBC022A023974AD797
                                                                  SHA-512:EE766E211D6C8F66CA5DCE16EA24886EFBC97DA69299ABDF97E6BF8665193BC28572C26A62D8FD113BF8C2AD5509D0F1AA4448778EF24BEED06D6D1BE427D4F9
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.V.).8.).8.).8...F.(.8...E.*.8...U.&.8...e.-.8...C.,.8.).9.j.8...V./.8...B.(.8...@.(.8.Rich).8.................PE..L.....J...........!................h........0...............................p.......................................?..`...,5..d............................`.......................................2..@............0...............................text...k........................... ..`.rdata..`....0......................@..@.data...l....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DD626E09-F497-4A34-9032-47AD4D2BCBD7.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):5.924426971558469
                                                                  Encrypted:false
                                                                  SSDEEP:384:sBODVbF10IOScwsRecX2w7dM8OjrU69FMKY:sYR67w2FX7xbOjNbY
                                                                  MD5:285D46A9F40AED54B7C2A0C8D0A7C837
                                                                  SHA1:3B6B4BD5592F3810A4AEBBCA3F6C60BB47050E5E
                                                                  SHA-256:7729AF41ED15D528EB34CA0A695F274A69C9A7662EB7AAA0B7C8981E5668ABB5
                                                                  SHA-512:2EC5FD501071E813EF49786E9B4B9DB2F60EC4CC0AD7810E34FB3A2E821E10BB5C21013760D3FAFD05261D5097441733BC1EA34F5930DAF8B9046B7EEA5334E2
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>..C.c>..S.c>.flc.c>..E.c>.c?..c>..P.c>..D.c>..F.c>.Rich.c>.................PE..L.....J...........!..... ... .......(.......0...............................p.......................................A.......5..d............................`.. ....................................3..@............0..0............................text............ .................. ..`.rdata.......0.......$..............@..@.data...|....P.......:..............@....reloc..~....`.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\DF5BF7F7-C204-4F6E-BDB8-666A53DFCC58.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16896
                                                                  Entropy (8bit):5.86576555380657
                                                                  Encrypted:false
                                                                  SSDEEP:192:bknq1Wq10MIAJqYY0IVrvxW/NmPE7DCFzKc2JeqvWMQBOb3X7U6CkpbALEkJObp:b/1/10x0IVrQV6LFzMwFM8OjrU698S
                                                                  MD5:FFB6AA045FBAA567AD7251244DF8276F
                                                                  SHA1:76EDB3169A6604FCFF5C600AD4EB3490B18A54DE
                                                                  SHA-256:409944903D65B08DB210835F9BD12155C0A204064F789A274ED161C84727BDC0
                                                                  SHA-512:64EA2FEFFA2FF7144B988CF18E2490BE324B0B5150C64BB4893860599BB49B23B5F7D3FC50098B5ACA21F8265331276BEF7734AC5CA21677ED16A35149209558
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>.C.c>.S.c>.flc.c>.E.c>.c?..c>.P.c>.D.c>.F.c>.Rich.c>.........PE..L.....J...........!..... ..."......&(.......0...............................p......................................@B.......5..d............................`..0...................................(3..@............0..D............................text...[........ .................. ..`.rdata..I....0.......$..............@..@.data...|....P.......<..............@....reloc.......`.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Directory.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.692149876033606
                                                                  Encrypted:false
                                                                  SSDEEP:192:BaBKz1soAj7kCetkigBgJuRz9HzWMQBOb3X7U6CkpbAUgS1p+:E8z6FmttnUxCM8OjrU690U/
                                                                  MD5:395F6AA01A6545D94C596818EFCA4B58
                                                                  SHA1:49AB9090FD7E60E262D595B4B0B2FA7D5133196B
                                                                  SHA-256:F431DB34FA69CC6B8362F3B193D05EB0F71AC40D006024DB4D5F1127839D88BA
                                                                  SHA-512:1C2D6F69DE198F5F0154373E681420281B2481A7DCF7C840ACEE85C015A74AC30CB3B03AE186BF79736C0D26A8C496B466EA75FB64B1756A85708B2661773338
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*>b.KP1.KP1.KP1...1.KP1..-1.KP1..=1.KP1ID.1.KP1..+1.KP1.KQ1.KP1..>1.KP1..*1.KP1..(1.KP1Rich.KP1................PE..L.....J...........!................'........0...............................p.......................................>.......4..P............................`..|...................................02..@............0..4............................text............................... ..`.rdata.......0......................@..@.data...X....P.......(..............@....reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E1F00F2A-EFD1-4AEB-A689-6A8465BCF5FA.dle

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):348160
                                                                  Entropy (8bit):6.220550581313654
                                                                  Encrypted:false
                                                                  SSDEEP:6144:KMztEx4ccYQzT8LW8MPlJ3leAoOH0AtZxYfOj0vJ8MCCh:KMztEx4jeC3le+H0Ate6Ch
                                                                  MD5:D5B6EBFF9ECDE21B485E8FB3CFD983A4
                                                                  SHA1:FD74437714458CD6DB1C681B37F3F03C4A88FDAB
                                                                  SHA-256:20CBE819192EC47A8FD64B70EBDDB68B4D249E9C24935DD85F7200E65B73A80D
                                                                  SHA-512:67C111A5FDCAB2D96C21CFDBEEFCB7C10C0681D108C2C59A479C5D6CD43C21877496EE04534A7C5C9643A9C62D4D923768FA56864A4F1F0799FDFC8C0530568A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>h.._.X._.X._.X3.xX._.X..kX._.X..{X._.XgP[X._.XgPfX._.X..}X._.X._.X._.X..hX._.X..|X._.X..zX._.X..~X._.XRich._.X........................PE..L.....J...........!.........................................................P...................................... ]..K...TE.......p..........................4]...................................3..@............................................text............................... ..`.rdata..k...........................@..@.data........`.......`..............@....rsrc........p... ...p..............@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E2D1C95B-1B84-4D94-A373-BEBABADF7AEE.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):5.5916601163776525
                                                                  Encrypted:false
                                                                  SSDEEP:768:zio82/6sTehdJVzcxHyyHp7qaBWWOLdksklY6WtigRcXe7PCun6QDUaizbOjEaSX:z2oHyKp7c3dkseYnXWuTCueHOjhSX
                                                                  MD5:A3387401387B56FD21455028D9ED4D94
                                                                  SHA1:5967B3096E4811DF15FF45A3D09AF7F35A3B3834
                                                                  SHA-256:A1C07D51088264A7E409B0AA12647A59AEAFFF448664623815732847CE98707F
                                                                  SHA-512:6D243F39F94C4F56EF40F6A9D2864F0C4BDC3EBE95A9E8BB21C729CA7357D4CE1EE6CF399D0B9122ED6BF98F9B96713EBB8EF545527D669DA567B4B4EFE4C2E5
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M]:..<T..<T..<T...*..<T...)..<T...9..<T.../..<T..3...<T..<U.a<T...:..<T......<T...,..<T.Rich.<T.........................PE..L.....J...........!.........`..............................................................................................$.......................................................................0...@............................................text...;........................... ..`.rdata..x8.......@..................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\E34823CE-646E-46FE-8B36-0B9483ABB6F5.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):10752
                                                                  Entropy (8bit):5.512538598071825
                                                                  Encrypted:false
                                                                  SSDEEP:192:gRchk83UoFvqbLepQbGtZFRI/eYeWMQBOb3X7U6Ckpby0db2PHlQtp4:gRchBUopQbE/OeCM8OjrU69W6t
                                                                  MD5:7F26B598CA009924E072ADE539B4BF30
                                                                  SHA1:B9109C67C98F55D6F661106A95F6191BF2C15B1A
                                                                  SHA-256:BA25585571956FE41CA7E720611F3DC2680D098FA92B16373E8FEAAB8A02161A
                                                                  SHA-512:AB7F5261C5654F8865D3A4A0ACA1356AE9EEB183A2A06C18779232BD3E9D25EC7D637BE06E301E8B83BF82B4CE08CEED4FB06F99CFC4B9E4D6019D7115610310
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..y..w*..w*..w*.t.*..w*'v.*..w*'v.*..w*.**..w*'v.*..w*..v*E.w*'v.*..w*'v.*..w*'v.*..w*Rich..w*........................PE..L...Q.J...........!................x........ ...............................`..........................................=...|$..P............................P..D...................................."..@............ .. ............................text............................... ..`.rdata....... ......................@..@.data...P....@.......$..............@....reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EACC7F74-0344-4C1F-9BC2-400EC0C7C499.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):5.874354102173307
                                                                  Encrypted:false
                                                                  SSDEEP:384:cN5wKirushNXFAxfBdtYgDT5x6M8ODrU69zwxshp:cN6KNBdtVTKXODbwmh
                                                                  MD5:665030989216B2DC06D896B69DD370A9
                                                                  SHA1:9C1DA5CB923687AF5B01E2327D69C3988790352F
                                                                  SHA-256:0FFCBCE80AADF5358BC88F436113D2CB30E7706B77453F1CBDE96C2A6172D4E2
                                                                  SHA-512:F0191E99E4E6470C19165E5A9E9EE10A9932F4F0F79EC80B6CAA3A4D953CB6B085835058FCC2A5A78BB9B7BDEEBB082C3CAC81867A77103CFBAC6427DA683144
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.>?|.Pl|.Pl|.Pl...l~.Pl[.-l~.Pl[.=lr.Pl...l~.Pl[.+ly.Pl|.Ql2.Pl[.>lz.Pl[.*l}.Pl[.(l}.PlRich|.Pl........................PE..L.....J...........!.........$.......$.......0...............................p......................................0B..T...,7..P............................`.. ....................................4..@............0..D............................text............................... ..`.rdata.......0....... ..............@..@.data...X....P.......:..............@....reloc.......`.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EB69314C-9A02-43D7-BB94-EA27A32AA120.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):139264
                                                                  Entropy (8bit):6.2144727354207046
                                                                  Encrypted:false
                                                                  SSDEEP:3072:ynQwZUq8HNaRifjWxu2R0jKXZ2AMxfkS2mytJ8FeMFYaM0NYwOjIbUlW:ynHxu2Kj27KbMCC+YwOjIg
                                                                  MD5:F4D2F94862C2139BAF34A1AEEBE46AD7
                                                                  SHA1:20F0618E4C71DF62FFC20A757E83AEF2BB4E47F0
                                                                  SHA-256:AF581320F5C367B1AE8FB874B1AF1CC1B7AA62772A0F695EB15D44F84C558474
                                                                  SHA-512:A274D101A26CDD6317A2D9BB29D7A9307F95670855BC2F5529B351B4ACF01F919525F9BB8911D21767377E60DF87AC81F6AA890F2BDFDA29E213B1702FDA7884
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4..g...4......4......4..3;...4..3;...4......4...4.. 4..*....4......4......4......4..Rich.4..........................PE..L...8.J...........!.....0..........q........@............................... ................ ... ................................................................................................@...@............@..h............................text....#.......0.................. ..`.rdata..Z....@.......@..............@..@.data...............................@....reloc..J........ ..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EBD84E0B-137A-45E2-A63E-EC1D98852828.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17920
                                                                  Entropy (8bit):5.874971480449688
                                                                  Encrypted:false
                                                                  SSDEEP:384:Ehvm5IJPp5LQvwf/R9EHrHy1NxJp1M8OjrU69VQUOW:EgIFseEHrHy1tp1bOj9Q4
                                                                  MD5:70B281B2E79516AD11D8C4498C2084A0
                                                                  SHA1:A9FB2A0D21E9C4F73162B923A0D346FD5B407E3F
                                                                  SHA-256:B7FD5F6B64FC078F8A1A1DF129DF0C37F294CB92E06817C826B093DC7A375AA2
                                                                  SHA-512:2BF839B50A431A25CED047C8153B29907699EBF216F87C50CB5374686C97D4D2C44E0498915BA1963BD71A77B748A08FA962CEAA60740C720284A02FD28DFC7A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V)D..H*^.H*^.H*^..T^.H*^5.W^.H*^5.G^.H*^.Gw^.H*^5.Q^.H*^.H+^vH*^5.D^.H*^5.P^.H*^5.R^.H*^Rich.H*^........................PE..L.....J...........!.........(......_&.......0...............................p......................................PF..k...D7..x............................`.......................................3..@............0...............................text...k........................... ..`.rdata.......0......."..............@..@.data........P.......>..............@....reloc..L....`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\EF1644CB-C99E-44B9-B07C-EC8A9E9F2CBA.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.827137934535902
                                                                  Encrypted:false
                                                                  SSDEEP:384:9Sb7QtDOJzfRgD7Qpaiy8LM8O3rU69x66:9Sb7CDqLRgDCbO3J6
                                                                  MD5:7E8EBC710DEE1C2F80219FB91DB9AFCC
                                                                  SHA1:BB5E93B41FA42E6B7F1E1F733750012477679570
                                                                  SHA-256:D5650DA0B9DF51CC46D61987F835729F30CE07B4038791EE91F4E47D724F2B2A
                                                                  SHA-512:E63DB83B1DB89D79263BB89372F3661160FF03385FA5F0BEA0547875B421A116CAD8A56BA299589845713894401F83E64FA74938D4E495E9E4651A6F3129309F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+........PE..L.....J...........!.........................0...............................p......................................`?.......4..P............................`......................................`2..@............0..(............................text............................... ..`.rdata.......0......................@..@.data...X....P.......,..............@....reloc..N....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F26BB40B-B196-4AB9-B59E-FA7C8FF436F9.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):6.306370197876233
                                                                  Encrypted:false
                                                                  SSDEEP:768:VGsX/NNQYd43NCBd2iUGHhi2HQMN6bOjaQmjHRCmGwQg+Lw:MsXFNQYdICvpUGHhi2HQMN8OjJmjHRCI
                                                                  MD5:0FED34B8640EC4BBE303CB60A6F3E6DF
                                                                  SHA1:032A418BA5ACA1C6A3399D658138817E5172BA48
                                                                  SHA-256:DA59B61325553D4B19FC2A25E889B05DBAE9502C9E9249E9D0076393DD540AEA
                                                                  SHA-512:A45576559DF4B2B0ED543A3A3F7E803EB95A75DDD4849524F0003BC511EFA675D46D105F476D456F4BA4993E65E0346B5EE1037A463019E9341820F1C6501325
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.t.Y.'.Y.'.Y.'...'.Y.'...'.Y.'...'.Y.'PV.'.Y.'...'.Y.'.Y.'.Y.'...'.Y.'...'.Y.'...'.Y.'Rich.Y.'................PE..L...|.J...........!.....L...6.......S.......`.......................................................................{..d....h..x...................................................................0e..@............`...............................text....K.......L.................. ..`.rdata..D&...`...(...P..............@..@.data...|............x..............@....reloc...............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F31897FC-64C3-4FF7-96E0-854BB1E13046.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):5.681497735197174
                                                                  Encrypted:false
                                                                  SSDEEP:768:yiJdSG2reV+lwO2Rb4RY8q+Tyc4cz8vyOd3+CQx7liIxdAXND2gTyoN4UUGrDo3/:1JR2SswXtjU8jYJiITANdDonOD08I
                                                                  MD5:C433BF8C6CEFB5A3671250DE23D1DE54
                                                                  SHA1:608B70F4C31540F675B0D4833F129DB23177EA16
                                                                  SHA-256:2570C00700841A1C2C039631E4825D83039CCA2B028A7E50FC80EF1532DC86F0
                                                                  SHA-512:982122CA6D004B373772977FED9E4AD5C32C6884412F16D64C1ACE7BA00886AC6D446E72F0761802EF16A57C5C7793BAE85CD7A5194354A71F8E1EA51872A175
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z...Z...Z..t...Z.....Z......Z.. U..Z.....Z...Z..LZ......Z.....Z.....Z..Rich.Z..........PE..L.....J...........!.........p..................................................................................... ...c......................................(.......................................@............................................text............................... ..`.rdata...D.......P..................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F467CCEE-F308-4741-A1FE-3D58B78C7AF1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.474773562668833
                                                                  Encrypted:false
                                                                  SSDEEP:192:bzanQznrs2kCnJsQsq77/TB5//TWMQBOn3X7U6CkpbPEsUvQCqtMRhApQT:bzanQjrsCnJDxwM8O3rU69QsUvQCqtM1
                                                                  MD5:75A94969DC191A468A8A121ACF9C8FE2
                                                                  SHA1:67809FCA4289F5D15BEB792ECCBE44A34F4B18B2
                                                                  SHA-256:4F258BC52D33F4AD651CA94C69763CDE7841A13249EDF8978D9EA655AFD6AD24
                                                                  SHA-512:A169D42A10F7CB01D6FC25827EDB32BBE6293F44EACAF6E152A798D3274537C0DCA5E059B38398EE8C921442F7899AB833CB422A48DFBC94FD9941ED202A0908
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].xN<.+N<.+N<.+...+O<.+i..+L<.+i..+@<.+.3.+L<.+i..+K<.+N<.+.<.+i..+H<.+i..+O<.+i..+O<.+RichN<.+................PE..L.....J...........!.........................0...............................p......................................`?.......4..P............................`.......................................2..@............0..$............................text............................... ..`.rdata..#....0......................@..@.data...`....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F48570A2-D00B-4280-B381-BB9A952FE8AA.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):24576
                                                                  Entropy (8bit):6.143317242055783
                                                                  Encrypted:false
                                                                  SSDEEP:384:TyuGOrjk16LAXAv2pRrofIrvkQ4br1oY1/+zDou993i5yHM8OjrU69T/z5onVL:TyuG2Rx2pRRshbBo0/8Do7yHbOjbanVL
                                                                  MD5:BADFD0DE9AC14DFAB378D6F978D22F0C
                                                                  SHA1:6958C6A6CEB4BE625D71310CC65A05510C84A13B
                                                                  SHA-256:6994F4F64115D0F37A91FA0795C5CCBBDF6CFD1433A52745DA1849EC72C84C45
                                                                  SHA-512:0F4FB48071F0FABD012ED967825CBBE8FB36C3C55785DFADE4D27298650AE3A1F19A57FE8739C50CD0BBC699950AFB9EB138FAFAC1D9122F930C793CD102BF23
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.fSn.fSn.fS...So.fSI..Sl.fSI..S`.fS..;Sl.fSI..Sg.fSn.gS..fSI..Sh.fSI..So.fSI..So.fSRichn.fS........................PE..L...z.J...........!.....&...:......V0.......@.......................................................................d.......H..x...............................d....................................E..@............@..L............................text....%.......&.................. ..`.rdata...,...@.......*..............@..@.data........p.......X..............@....reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F5BF6106-8544-495D-9BCA-E69A6F42BF95.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):27648
                                                                  Entropy (8bit):6.1942460547191125
                                                                  Encrypted:false
                                                                  SSDEEP:384:2RIsoWJX+o5C3f5vvTua4wMrCqW25dsIg5x5M8ODrU69/LZZpNg:2RI/Kj5af5vvTuVwlBSGIgJXODHV
                                                                  MD5:7B26CB43C185C5F823E4BAEE63C0D7F7
                                                                  SHA1:8071EED3EA29A7746E32A11E8A169C6AE5ACC9BD
                                                                  SHA-256:1F6B87A50D48C5688D533CA12816CEBC7A3F059070DF716CEE7F0DB62F0A02A6
                                                                  SHA-512:E69D6372CFC29E55304BCEF1AC1CC80E320A7452E60D8677E1C2CD4AA2C703CAA66581B794EF71870039FDE8F0DF4FD97452F6A1A4D8844A2933BA76DFC89406
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!...e...e...e....5..d...B7..f...B7..j......g...B7..b...e...?...B7..b...B7..d...B7..d...Riche...........................PE..L.....J...........!.....:...2......CA.......P.......................................................................g..j....Y..d....................................................................U..@............P..x............................text...[8.......:.................. ..`.rdata..*%...P...&...>..............@..@.data................d..............@....reloc..Z............f..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F7709F2F-62CF-4D08-A1DC-BC736F85E6DC.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.854078443301743
                                                                  Encrypted:false
                                                                  SSDEEP:384:JfqE3/T/3s3wV70NujeUYY3hOhT1j5M8OjrU69ol1pAWQ:JPLcc0N6eRGhOhT19bOjQl1pW
                                                                  MD5:CA40F84CA85CC8B34572319090EA9AB6
                                                                  SHA1:9E4E3B00DE386B61DDAFCDEDAADB096D1D4BCC59
                                                                  SHA-256:C1244CAE8C70B950F835678A01583675231C93C04BCC3D562A89C97612DD4CF2
                                                                  SHA-512:0FC0BB8B178D231D19F542523F2E410757A80A754A8C353794FA13DD841A519AE9895CC1E065E3A3A1266BED71F1A328F2CACED8EF00708731F1661C6086E079
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."..^...."......."......."...-..."......."...".."......."......."......."..Rich."..................PE..L...u.J...........!......... .......#.......0...............................p...................................... C..h....6..x............................`..(...................................H3..@............0..x............................text............................... ..`.rdata.......0....... ..............@..@.data...|....P.......6..............@....reloc.......`.......8..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9388FDD-EEEA-459F-9246-E7AC017E0062.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11264
                                                                  Entropy (8bit):5.518017508972466
                                                                  Encrypted:false
                                                                  SSDEEP:192:1kOp+yheD6Xst+OrBPX3HDACxTWMQBOn3X7U6CkpiPUmpHL:1Fp+yhNi+O9vH0tM8O3rU69iDB
                                                                  MD5:19C2E2687E83889DD222CC44D6571EB9
                                                                  SHA1:9E59794493349447D64CA82929D3701667434AD8
                                                                  SHA-256:673A5A4E2B19CCFE2AEA801FFC657D6A07AF86A53F39C1624F4CFEA54A313C58
                                                                  SHA-512:0885F128FAB2D7DDC5AA0CE2E8EC5C8782A6701AD4F15BBC501C91AA7357AA339AF50A38F6EBFFFEF1426343A46202CE371E53A0E9C6E59E2B972FA364AB4A63
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]:xN<T+N<T+N<T+..*+O<T+i.)+L<T+i.9+@<T+.3.+L<T+i./+K<T+N<U+.<T+i.:+H<T+i..+O<T+i.,+O<T+RichN<T+................PE..L.....J...........!......................... ...............................`.......................................-......\$..P............................P..X................................... "..@............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...X....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\F9CEB566-E5C4-4B13-9DDF-908FE6B6AFA4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):5.609559631657768
                                                                  Encrypted:false
                                                                  SSDEEP:192:QcXJLykqspwRQRyoDagqdKklkXT0WJLkvWMQBOb3X7U6CkpbmGT/vpB8T:QcXJLykqspwqRHJqsDbJPM8OjrU69iYk
                                                                  MD5:8158DB2AB661967685A88EEB066EAA67
                                                                  SHA1:C3B634809E90B11A48BAE62F2E218E2F8668CFED
                                                                  SHA-256:F22AAED42681A4687F341CB8C7AD2F5BE722230034D66D301CE008DE320200C6
                                                                  SHA-512:6506BF5ABDE1B21C27635C97EEEB9C4F41DDF2EBD191AA77BE15A9AC478653B64855E38461D2B2B9ABE694945C7C59D6B0428A008E03A8B2318AE2423FE67B53
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9i..W:..W:..W:.t):..W:'v*:..W:'v::..W:..:..W:'v,:..W:..V:L.W:'v9:..W:'v-:..W:'v/:..W:Rich..W:........PE..L...m.J...........!.........................0...............................p.......................................@..$....4..P............................`.......................................2..@............0..<............................text...K........................... ..`.rdata.......0......................@..@.data...`....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FBB1D22B-CBB2-4A2A-AAC3-4BB57F144FD4.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14848
                                                                  Entropy (8bit):5.743032925469375
                                                                  Encrypted:false
                                                                  SSDEEP:192:vkLqC5tjHbCmniA7t4d2/DcaAuxIhvWxAlv1MpLlvtjN09cWMQBOb3X7U6Ckpbw/:MGCzlniA7t48DcBh1MVNCM8OjrU69MC
                                                                  MD5:F26210790BC1049594E161CC28191DA0
                                                                  SHA1:C3EB09834445F1D5E50DD9D22E00801EE5A91B0D
                                                                  SHA-256:89E73F53F546CDBC2AEC110704292161A807B351EC5B1531CFBBE5E6F8C65C35
                                                                  SHA-512:5A0422D60694A96F032AF7E88071E6F87C75772823FCD398ED9C2FF546FFAC4F0CA8DF0A14F17A40EC666BF83E5C427022EAA0618320562C89B5FC0D64C7DC7C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.v..h.^.h.^.h.^..f^.h.^5.e^.h.^5.u^.h.^.gE^.h.^5.c^.h.^.h.^Oh.^5.v^.h.^5.b^.h.^5.d^.h.^5.`^.h.^Rich.h.^........PE..L.....J...........!.........$......$........0.......................................................................D.......6..x....`.......................p..(...................................(4..@............0...............................text............................... ..`.rdata.......0......................@..@.data...x....P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileLoader.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):19968
                                                                  Entropy (8bit):6.025840194496445
                                                                  Encrypted:false
                                                                  SSDEEP:384:0OOOyzeZmIthW+CGRHfFwI7T1KBXzzRn+FXoEu+NM8OjrU69cHkW:0iiIthWitw6KtzRnwFuObOjEEW
                                                                  MD5:A575F18E1D3AFE916BAADA33167FCF11
                                                                  SHA1:2F86E0271F7EC1E4AA5C10AF448D59FCFE870A58
                                                                  SHA-256:83810DB16B045C6C351495D315DDC1E665C58DE57ADBB85BB30E530243B6B76D
                                                                  SHA-512:0A644C4C9FD39A3B0380FE1C1C850BA8E83A4DF742AD4DD5885441B596F60A67AE392826C8BEF044B3B965747C7E010E8F86CC736E20AFE11AAAE75118FCD774
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............H...H...H=&.H...H.$.H...H.$.H...Hi.H...H.$.H...H...H...H.$.H...H.$.H...H.$.H...HRich...H........................PE..L.....J...........!.....&...(......&/.......@.......................................................................U.......I..P............................p......................................`F..@............@..t............................text...;%.......&.................. ..`.rdata..r....@.......*..............@..@.data...h....`.......H..............@....reloc.......p.......J..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FileSaver.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12800
                                                                  Entropy (8bit):5.562687299045992
                                                                  Encrypted:false
                                                                  SSDEEP:192:iX5dmDhuzFCyF5ZCiy9kuOGV5cD31kBWMQBOb3X7U6AkpbQMdoxp5:iXrmmFz5ty7M33M8OjrU6Lcv
                                                                  MD5:BBC8897B9FAD788217F2CB60DF47BC71
                                                                  SHA1:DFDBA4AD382106096F3478919EE26BD1D66F8C6B
                                                                  SHA-256:3F65F15F56A6ABF9DC7E053D2D2BEBA881349AEDFFD6746AC6ECB627040646C3
                                                                  SHA-512:0906C19FDDEA52CD32E8A017D0BFE63E6580D7561563382BB1547CC11EEF882645D07239297B88666C5227801E0DF15537848206D374436BC8F6E10C299A590A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9...WJ..WJ..WJ.t)J..WJ'v*J..WJ'v:J..WJ..J..WJ'v,J..WJ..VJM.WJ'v9J..WJ'v-J..WJ'v/J..WJRich..WJ........................PE..L.....J...........!................3........0...............................p.......................................?......\5..P............................`..x....................................2..@............0..@............................text............................... ..`.rdata..&....0......................@..@.data...X....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\FolderDialog.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):30208
                                                                  Entropy (8bit):3.2887515320141656
                                                                  Encrypted:false
                                                                  SSDEEP:192:BGOFHfqiJVJr1NcwBY8GCIskoLp68lVWMQBOb3X7sVR6yk5N2o:B1FHfqiJVlcwcC7Z8M8OjrsV5S
                                                                  MD5:61F4134616365DDFC317890D95F13B1D
                                                                  SHA1:14A39BCB8F76B5A20AB72816FA9CFB8B9075E88D
                                                                  SHA-256:749E01E81EC3FB1E9B668A761F96B63E319D697E86EC716A540E3141D595BD07
                                                                  SHA-512:CA1DC7806226F0A2046908D61322F9EF825DCBE8F21234C1838122DEC59C33360F2819AE6C3236E06C4B4C38A5E3E921D969281D3B21CF7B4A45BD4FB70CB5A7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T..s.e. .e. .e. ... .e. 7.. .e. 7.. .e. 7.. .e. ... .e. 7.. .e. .e. Re. ..9 .e. ... .e. ... .e. Rich.e. ........PE..L.....T...........!.....F...0......]........`......................................................................@r..x.......d...................................................................xg..@...........H................................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data................`..............@....idata...............b..............@....reloc..n............r..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\HlslUnique.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):3.2762631428660165
                                                                  Encrypted:false
                                                                  SSDEEP:192:k98HCSFnuNk5CSMfCNcPXUoemph0/VWMQBOn3X7U6CkpbDOuua:A8HCSFnuNkpcR3JM8O3rU69Xju
                                                                  MD5:A2AB81B31D376D6FFB02FC74DF0615A6
                                                                  SHA1:690FECA1E2B54F91904D26DEE07998A4687E9170
                                                                  SHA-256:C3A138F8F8E9DAB79320955E67FCB176980A426F8FCBAE547E595E20CF6E43DD
                                                                  SHA-512:A98581AB8DF5603BF72212F14E1C775CA093EBF1D48A0B16B0AB90D75A5A5B08C9335067C493CFB845326EA7855FD4BC0C6E9B0A715917376C2BE3741D90F248
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.1y.._*.._*.._*.t!*.._*'v"*.._*'v2*.._*..*.._*'v$*.._*..^*C._*'v1*.._*'v%*.._*'v'*.._*Rich.._*........................PE..L......J...........!.....D..........u........`...................................................................... r..........P...................................................................Hg..@............................................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data................^..............@....idata...............`..............@....reloc..s............n..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceContainer.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):3.9093544278859853
                                                                  Encrypted:false
                                                                  SSDEEP:384:QlLkArvnv7JheoSi4jaVwnv7fF2vX2Z+OxZM8OjrU69Fm7:OLzrvFhp0vZ2PU+wbOjtm7
                                                                  MD5:AEDB153FBB9E3A5DFB524D5E88A62CF0
                                                                  SHA1:D2C122DD5741C3CBC48E4E25CA2F68FD06A1D75A
                                                                  SHA-256:7D4E78E4C30F571E3637AEE5734B34C8CABDD21ADF92C7C64B479FEAF7A8604F
                                                                  SHA-512:11E3E99D887BDFF9B2C0E0EC7CA7BEE0CD2119634153FECB8F572E3635034D502EDD4ED37E7437832B6E9DD1293D899272DFC9B5483FB9E67019ED11B14D2E89
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Y.Y.Yyn.Y.Y.l.Y.Y.l.Y.Y-..Y.Y.l.Y.Y.Y...Y.l.Y.Y.l.Y.Y.l.Y.YRich.Y........PE..L...'.J...........!.....Z...>...............p..................................................................................d...................................................................Xx..@..............h............................text....X.......Z.................. ..`.rdata..*....p.......^..............@..@.data................|..............@....idata..0............~..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceItem.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):31744
                                                                  Entropy (8bit):3.4731929237622827
                                                                  Encrypted:false
                                                                  SSDEEP:384:rQzPs+6aF+y81ekAZMQaJU8M8ODrU69l:czPXVoy84BKQZ8XODt
                                                                  MD5:28B44509E88530ECF10951E1A8188858
                                                                  SHA1:BEBE17372B804090092C9A9D61B8953AABAE59C3
                                                                  SHA-256:BAA91A5132DEEF01F7D4751B78A8EAE8DA2B061DA405B6929CCA20EC73E3D7DA
                                                                  SHA-512:B10772859885D54601A9E55B33D3BF739EFACAC5F464CB8C288822D6324C9531333F6EF4FA51024CC180AFCE151DAC11561F543A4E70611EBB209AAF2E46E46F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..y...*...*...*.t.*...*'v.*...*'v.*...*..*...*'v.*...*...*F..*'v.*...*'v.*...*'v.*...*Rich...*........PE..L.....J...........!.....J...2......' .......`.......................................................................r../.......P....................................................................g..@............................................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................f..............@....idata...............h..............@....reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefContainer.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):35328
                                                                  Entropy (8bit):3.7173021452801143
                                                                  Encrypted:false
                                                                  SSDEEP:384:R7CpguSRXtMigsXXQWHW8Oracc3LaIyoDzxM8OjrU69n17:RYgrRXtMigsX928OeccuoRbOj/17
                                                                  MD5:49F87C488CA38BB79F7FEBE036AC6226
                                                                  SHA1:3791729297293F92B0CD25303929A5A11BEC0006
                                                                  SHA-256:ACA8624AFC7B104ABE445DEB9AB8452816301B45E159FE411F8BD0611484D927
                                                                  SHA-512:D7C807D77BDC3BC52F61D2026D1FB1AD4E03BB87464AEF710EADAEFB376341FB5C1B0E1CC94E47E50BD2EF74C0F1F9973C37873B6C6394C7A7FD2B10924AD0B1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.9...W...W...W..t)...W.'v*...W.'v:...W......W.'v,...W...V.O.W.'v9...W.'v-...W.'v/...W.Rich..W.........................PE..L.....J...........!.....R...8.......&.......p..................................................................................P....................................................................w..@...........H................................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data................r..............@....idata...............t..............@....reloc..n...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefFromContainer.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):3.5214977425451863
                                                                  Encrypted:false
                                                                  SSDEEP:192:nUG+YbTsvuxWYNXaJhrUydHN55kAdYWF2dz8prdTWMQBOn3X7U6Ckpb1V3wb:UPY/PxzNKJVL55VdYfaOM8O3rU69BOb
                                                                  MD5:58D053CF356D370891279DAA9FE57697
                                                                  SHA1:37A3AB19CAE64C14DCAAE5E5C6D654522995F40B
                                                                  SHA-256:0DD292F205BEE3CC8F8970634622F3FC166B7FE027602C4C0D27A4C4857B5C0B
                                                                  SHA-512:304E98BC788151C0A84BD75C3D09012DA47C96BA90EEAFF2CCE48F0835812F090772BD33C957060048DBC78FBBFE25958D5D2D97D1A7AC2C8D00D2E1331DF47E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P..c>.c>.c>.2.@.c>..C.c>..S.c>.flc.c>..E.c>.c?..c>..P.c>..D.c>..F.c>.Rich.c>.................PE..L.....J...........!.....J...4......+........`.......................................................................t..........d...................................................................Pi..@...........d................................text....H.......J.................. ..`.rdata..t....`.......N..............@..@.data................h..............@....idata...............j..............@....reloc...............z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceRefItem.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):30720
                                                                  Entropy (8bit):3.393628142885168
                                                                  Encrypted:false
                                                                  SSDEEP:192:1vkaE9KAIZFlUZNXrS3gW8g9kcaog6U0xF2pD5TWMQBOn3X7U6CkpbvxY:WKAelUZN7S33Z26U0K6M8O3rU69
                                                                  MD5:552A9E68E6FA752F48299F8B6A352EE7
                                                                  SHA1:50942C90EBB41A983FBBB67D3B3EB3BAB202F14D
                                                                  SHA-256:B9E0CF4614E1D3A11D94E1B3A505AC3D5AEDB30940DECEA3A52AE448D34DD6F2
                                                                  SHA-512:4D9ACE1D8D688DCC6326CDB0BFFDC1CDDB9FB6D2F53EF43BF25C5A35B8E0EC4A3A29DCFE9ADEAD6F954BFC1DB5A66126478FC93ECA91B557A4603BD37CB168B1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Y...Y...Y7:.Y...Y.8.Y...Y.8.Y...Yc.Y...Y.8.Y...Y...Y...Y.8.Y...Y.8.Y...Y.8.Y...YRich...Y........PE..L.....J...........!.....F...2......A........`.......................................................................r..-.......d....................................................................g..@...........d................................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data................b..............@....idata...............d..............@....reloc...............t..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InstanceThisClass.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):3.5769074346685783
                                                                  Encrypted:false
                                                                  SSDEEP:384:wvFYFC3Ti8B1eWFtHQA73RZM8OjrU69Wu:nFGTi8KWFlZbOj
                                                                  MD5:F0CA13C5A50BB4067C57E68F5B311C5D
                                                                  SHA1:65A572D95AF14940D2297301F70404690B4402D0
                                                                  SHA-256:8E9B4368F4C9336F9B6F68E91820946414614FF3ED58C5670B8114828C64CC3B
                                                                  SHA-512:E5E09AEFCCF24FA6B13C6E9371FA83C8B708EDA96DD216D63F7669DBFD6DF843A3A4C95D96FFEEFA00113B35C286F6BA7145B01B7064AA49B2032043D4933615
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..Hn.f.n.f.n.f.....o.f.I...l.f.I...`.f...;.l.f.I...g.f.n.g.%.f.I...h.f.I...o.f.I...o.f.Richn.f.................PE..L.....J...........!.....N...:.......#.......`......................................................................@t..X.......x...............................L...................................0h..@...............8............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data................n..............@....idata..~............p..............@....reloc..,...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceChannel.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):38912
                                                                  Entropy (8bit):3.9479596116068394
                                                                  Encrypted:false
                                                                  SSDEEP:384:+tCtjB/th7QH7HKgjAyzPPA7Ocr7irSkUuWfM8OjrU691:uyd/jSHKMAyzPiirSkUuWfbOjN
                                                                  MD5:73906E06BF0B9A05575C4029A54AA69D
                                                                  SHA1:1E9194AEABD53467453DCBC1B6E0F91A4FFFA779
                                                                  SHA-256:C1B7C52ED589691AB7D9EF711AA562387A88A040EF80FD31A406F59F755514A5
                                                                  SHA-512:43ACC0502FCBF52DBE1637BBBDD0F311621F0421C85A2E995A99B4ECF26CAF58F8C978CE2076AA190234C7990213E658D344BC97004CE212BC4622F0D155EFD7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............X...X...XW:.X...X.8.X...X.8.X...X..X...X.8.X...X...X...X.8.X...X.8.X...X.8.X...XRich...X........................PE..L.....J...........!.....Z...>......90.......p......................................................................@...>.......d....................................................................y..@...............@............................text....Y.......Z.................. ..`.rdata..~....p.......^..............@..@.data................|..............@....idata...............~..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCommand.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):102400
                                                                  Entropy (8bit):4.790158022778158
                                                                  Encrypted:false
                                                                  SSDEEP:3072:rFu762oECRShUCNjw4Z5YP/UJBeLw2DJGIDOjK:puHoECRShzjw4Z5YP/U7eLh8QOj
                                                                  MD5:B5BDC8F16810FC6788D2C0995F5EB713
                                                                  SHA1:E887D0881B802801BDB3F2395EA397E62A8DFE68
                                                                  SHA-256:6034258679E92DB54C64A6F433779962D8246CE2EC85344ADDA19BFCE880737D
                                                                  SHA-512:16170DDF66D3BCDA984FC311CC2C480C26B4222C8E22708B754D969BA15FE50A0E054360A19F148E5F8792151524D45E51E62C8D5CF61E45C5D2334024B15953
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.'.'..).%..+.$..+.(....!..+.".'....+./..+.&..+.&.Rich'.........................PE..L.....J...........!...............................................................................................`%.......@..x............................p..........................................@............D...............................text............................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....idata...(...@...0...@..............@....reloc.......p... ...p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceCreation.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):106496
                                                                  Entropy (8bit):4.811851706844323
                                                                  Encrypted:false
                                                                  SSDEEP:1536:/FhVgkiU6b4A1yvk1SL1is0yZ2X2AODBKS:/FhVgkiU6b4Rvk1SL1D0yZ2X2AODBKS
                                                                  MD5:7F45A09E2F2919A567F6FB27A518848D
                                                                  SHA1:3DF4BC2B83F8DD362FFF865A1EA991FCE602ED92
                                                                  SHA-256:C6058D504797923FE7B703C82EBC615595E5FEE470894FC647B6A0B1489B736F
                                                                  SHA-512:7AAE483A366C319738F291E59D7E1D0DC10F210668AA9A7140E6152DB9A1E11A899513292B9C6B722703A74E63D5C4F911D63563CEB4895EA0D6A25CD8B8CDF1
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........].V.3.V.3.V.3..8M.T.3.q:N.T.3.q:^.X.3..n.R.3.q:H.S.3.V.2...3.q:].E.3.q:I.W.3.q:K.W.3.RichV.3.........................PE..L.....J...........!................]...............................................................................p...0!...P..d.......................................................................@...........TT...............................text............................... ..`.rdata...N.......P..................@..@.data........@.......@..............@....idata...)...P...0...P..............@....reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunction.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):43008
                                                                  Entropy (8bit):4.1463883992400525
                                                                  Encrypted:false
                                                                  SSDEEP:384:3ajFyARhCFXeDzpr5MVqBwXf5oaA73uo8mYhfQndfQnexpZfUkRM8OjrU69g:3a1RhSXeDh5MRf4jYh4nd4nOZfUsbOj
                                                                  MD5:96B0069C5C0F299C46D48AF99E375E1C
                                                                  SHA1:41BF98D21754E7FF5DB3CF156EC2041488545410
                                                                  SHA-256:91E8CAABEF3D194F30E780C3CE181C21158F75C28481B6D20D90CFB456F01629
                                                                  SHA-512:AF5C5215489A789C655CAF4AEACEEE5AD723CBA35B25B6A5D1C3C7008DE695FB7C075C7C4BC682BB2267D274C315414EDD6FAD077F2F94DFAB923AB3F665A2BC
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Y.Y.YyO.Y.Y.M.Y.Y.M.Y...Y-..Y.Y.M.Y.Y.Y...Y.M.Y.Y.M.Y.Y.M.Y.YRich.Y................PE..L......J...........!.....h...@.......=..............................................................................`...........d...............................@.......................................@...............L............................text....f.......h.................. ..`.rdata..k........ ...l..............@..@.data...............................@....idata..............................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceFunctionParameter.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):3.8218773920288336
                                                                  Encrypted:false
                                                                  SSDEEP:384:OgLt4tP+UrYtW4tUTuSeDtFv0PA7OhBM8OjrU69I:bRsP+UrYt+uTHv6hBbOjA
                                                                  MD5:3AD2A3A12B5962F7089C0569838802CB
                                                                  SHA1:02E536041FF17DB9EA32A098DEF6650D016AFBDC
                                                                  SHA-256:E6C0A60602937C39FBAA0A74D2064159B4EC9B860887E8EA2E0633B959889C15
                                                                  SHA-512:7AF0AED2F9DBA6EB21077F197DC292CDD45FAD2E6B4180780D804C3A2F32F527367AC89F7BB1F79E3A6616006C82CCBAA25906436D1792896EB2493FCE6B7FDB
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........2.a.a.ayN.a.a.L.a.a.L.a...a-..a.a.L.a.a.a...a.L.a.a.L.a.a.L.a.aRich.a........PE..L.....J...........!.....T...:.......*.......p..........................................................................J.......d...............................`...................................0y..@...........t................................text...mS.......T.................. ..`.rdata.......p.......X..............@..@.data................v..............@....idata...............x..............@....reloc..;...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceInfoValue.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):36352
                                                                  Entropy (8bit):3.8427797807709996
                                                                  Encrypted:false
                                                                  SSDEEP:384:GCeCSSH4YIxcywFhoLiDqtCOnXkfrM8OjrU69D:5HZ1XoLiGgOnXkfrbOjr
                                                                  MD5:DAE7FCE58344BFC789ECA598225DE473
                                                                  SHA1:E17224B1070AEAC222B9CB8FE3AC8D5296174772
                                                                  SHA-256:EF9F2FE9AF45F634B074C44FF37A494C13B3DAD35E3AB17DDA701B26BB02504D
                                                                  SHA-512:89FEFD1B350C6A313F19FD53A819DFFBA739A9A1CAC106300D7C0AAD28D5A3E6C52202690C3757B6479A519037CCBB88A4B4CD7D0BAA59B45949F5BF2403EB63
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................yN....L.....L.....-......L..........L....L....L...Rich..................PE..L.....J...........!.....T...:.......+.......p......................................................................@...........d....................................................................x..@............... ............................text....S.......T.................. ..`.rdata../....p.......X..............@..@.data................t..............@....idata...............v..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceMatrix.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):35840
                                                                  Entropy (8bit):3.6882951596613047
                                                                  Encrypted:false
                                                                  SSDEEP:192:73fMCgDKJKY2pMo0KZ8rVTDReLAdMFqQiwA7B8F53wpxSQ8ZTWMQBOb3X7U6Ckpg:7El2IZ0KZ8v+JhA7OF2rSYM8OjrU69
                                                                  MD5:C40C954021727F26E9A1D3FFD85B8412
                                                                  SHA1:634FD0BAF5E003E2632D6BBF158D03A40ABB35AC
                                                                  SHA-256:577FEDAF2856E7FB6ABD35AA0442BD4B1CD8EE22F52F95BC925D8B8EFBB2ED44
                                                                  SHA-512:F98D7BDB9B27A91619D1B02288AA1B234271817BB1AA021C34FA3B2C9381D0AB9DD2336CEDC5BAEE9A562823843F30AA9E883EDDD32DC6C6DFB54C1133B529A0
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.f.n.f.n.f.....o.f.I...l.f.I...`.f...;.l.f.I...g.f.n.g.!.f.I...h.f.I...o.f.I...o.f.Richn.f.................PE..L.....J...........!.....R...:......}'.......p......................................................................0...........x...............................d....................................x..@..............L............................text...=P.......R.................. ..`.rdata..#....p.......V..............@..@.data................r..............@....idata...............t..............@....reloc..O...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceText.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):35328
                                                                  Entropy (8bit):3.7199817523669854
                                                                  Encrypted:false
                                                                  SSDEEP:192:rH4z9njL6VYptlJXs/qclDv1A7UvTipxKjOMWMQBOb3X7U6CkpbTf:j0njL6VWlJ+lb1A76Ti2uM8OjrU69n
                                                                  MD5:52D554E8DA6B32776AF787E5F604DC68
                                                                  SHA1:E7DFC0138C24F5220164EC600A3220443165CCA0
                                                                  SHA-256:390DB0BA68162EA737340F9A2CB008BBA002BDBFC1ACBE4A6CD3451E5651E17E
                                                                  SHA-512:3FA6B23FAB64647DA84594B17C40E451155BE632B616DA78E1E6763F6FF55D33AC7C8A701A5CB33230718C58E1ED5332782818CDF4765757075DB34A421E3C6E
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......dX.. 9k. 9k. 9k.....!9k.....!9k......9k..66."9k.....)9k. 9j.o9k.....&9k.....!9k.....!9k.Rich 9k.........PE..L.....J...........!.....P...:.......&.......`.......................................................................s.. .......x...............................l...................................`h..@..............L............................text...-O.......P.................. ..`.rdata.......`.......T..............@..@.data................p..............@....idata...............r..............@....reloc..S...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceType.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29696
                                                                  Entropy (8bit):3.226214013787637
                                                                  Encrypted:false
                                                                  SSDEEP:192:N74FR3CUX1ZeKNIPY7LoeppB8p/p9VWMQBOn3X7U6CkpbgP3rBi:NkFR3CUFHIg7bUhWM8O3rU69Y9
                                                                  MD5:A37BE67EFB5E61C2B4AFBC801AC5AA97
                                                                  SHA1:D5D33CD8589A125EB87D564541DAF1D10F32D4E6
                                                                  SHA-256:BB089BFA899677197BD44741478C9CB8EF61D9B6FCC85EC37C8AA878E4C05D84
                                                                  SHA-512:6703C269219CE5B40711E77C45BA877473915745D3A6CAB4744064473773B38B6843788959473DB228EA65E7DB686425F86A6CC0BECACF48098B90DA8D1EB71A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.5y..[*..[*..[*.t%*..[*'v&*..[*'v6*..[*..*..[*'v *..[*..Z*B.[*'v5*..[*'v!*..[*'v#*..[*Rich..[*........PE..L.....J...........!.....D...0...............`.......................................................................r..!.......P...................................................................Hg..@............................................text....C.......D.................. ..`.rdata..1....`.......H..............@..@.data................`..............@....idata...............b..............@....reloc.._............p..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceValue.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):35328
                                                                  Entropy (8bit):3.653932846745678
                                                                  Encrypted:false
                                                                  SSDEEP:384:ct7zC3Rjzyvi9hc9YvUI5IDM8OjrU69bW:cFzC3Rjevi9hfvXSDbOjy
                                                                  MD5:0E7AAC04D3F8DDCDBD3CB3F3C53D1E97
                                                                  SHA1:0C31F8C5C96201CC46C9AE2D3795D69390925280
                                                                  SHA-256:2E576118986F6334D2A7DDBA7C483514FBCA59E53FB908013CFF5C4729689DBF
                                                                  SHA-512:5757B8355D4EB53F0389846735FF75D4025FD250E7B3FD505CF9A8D3618C592BB4C6D92E97B7D5F55C6CA6B77AAB857D5B4E33189D562ED735FE34D018319780
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..@p.f.p.f.p.f.....q.f.W...r.f.W...~.f...;.r.f.W...y.f.p.g.!.f.W...v.f.W...q.f.W...q.f.Richp.f.........PE..L.....J...........!.....P...:.......%.......`.......................................................................s..........x...............................`...................................xh..@..............X............................text...-N.......P.................. ..`.rdata.......`.......T..............@..@.data................n..............@....idata..k............p..............@....reloc..F...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\InterfaceVector.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34816
                                                                  Entropy (8bit):3.6526922192828177
                                                                  Encrypted:false
                                                                  SSDEEP:384:mp6n32A6JZa3kgG6A7NC71LhM8OjrU698ct:mYn32A6JsDGmLhbOjh
                                                                  MD5:05BFE6AA3092E87D9B438E6BAEC7EBFB
                                                                  SHA1:7370D527EA61F9F221F5C7883E1A6A081183D520
                                                                  SHA-256:D311FF9F283FC4012ABA501772290128E1419561B10B5242B9F34E1124FC7B36
                                                                  SHA-512:60B26D97545E5FF6743354FF0AA0D674DF4A04A6F3D9754D61D7DE61199B34E6FDEE383FB9C5CFF9B82526CD7665F8D1EEBA2253FAE15397A1E1AE59C94D43CD
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..`n.f3n.f3n.f3...3o.f3I..3l.f3I..3`.f3..;3l.f3I..3g.f3n.g3#.f3I..3h.f3I..3o.f3I..3o.f3Richn.f3................PE..L.....J...........!.....P...8.......%.......`.......................................................................s..........x...............................D...................................8h..@...............D............................text...mN.......P.................. ..`.rdata..h....`.......T..............@..@.data................n..............@....idata..\............p..............@....reloc..)...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Internet.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.920631459954556
                                                                  Encrypted:false
                                                                  SSDEEP:384:iYwZg4c9lQah9nw1xNcMnGVtlVBchMKBbKyWe6XBb0llMO8u1VQwi+RJOsKXV2jK:iq9K2hSGDlEMKBb7We6Rb0llMO8u1VQN
                                                                  MD5:B0BDEDAC06033226668A7E11EB229C0C
                                                                  SHA1:761B9980891EA695E32D39ADEE3173E4D6D6789A
                                                                  SHA-256:D10993452A799A0C796D097304A73734758F058486AEB0817851BD3D2764F74A
                                                                  SHA-512:A836BE82C4F73A7FA6E8CCB325185A565AB64A2B168924C247DC2116A61E8344EB7AD17430ED980CF00DA5971D1717EB7EA3418D19347B6826C74F3C9B4E948F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|../../../Yk./../.i./.../.i./../.i./../.../../../.../.i./../.i./../.i./../Rich../........................PE..L.....J...........!.....*...2......O3.......@.......................................................................[..%....O..d....................................................................L..@............@..x............................text....(.......*.................. ..`.rdata...$...@...&..................@..@.data...X....p.......T..............@....reloc..N............V..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\KeepRunning.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29184
                                                                  Entropy (8bit):3.2575570883008838
                                                                  Encrypted:false
                                                                  SSDEEP:192:zCIAhNUhZPp2G9+viC8IrXGj2fB5ZpM/TWMQBOn3X7U6Ckpbzr:zCIAhNUhZ8qCxGj2fBjZM8O3rU69
                                                                  MD5:811DCDE8FD47C27A1C3F1F92900D37DB
                                                                  SHA1:564F2A8FB3CB2C692E429431DE41FDDB5F391C2E
                                                                  SHA-256:07EC50D7EC1F836C21C7C6EE6B9B3E5310522DCC0B60876D6D32D98C28E876A4
                                                                  SHA-512:381D508312BD2E5C7755D3587A8F8D88BB7D1A8A1EE56FEA59B086322236FD0862C8C39A87A6335836623D312E9C405E163170DA523C6910BDA1BB4269529F36
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]:xN<T+N<T+N<T+..*+O<T+i.)+L<T+i.9+@<T+.3.+L<T+i./+K<T+N<U+.<T+i.:+H<T+i..+O<T+i.,+O<T+RichN<T+................PE..L.....J...........!.....D..........I........`......................................................................0r..l.......P...................................................................`g..@............................................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data................^..............@....idata...............`..............@....reloc..j............n..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonInfo.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):45056
                                                                  Entropy (8bit):4.366285202762783
                                                                  Encrypted:false
                                                                  SSDEEP:768:k0V+MrhhRBnZoP59mQfsWgbOUaCO1dvIWbOjN+2qU9ue:k0VLrhhRBnZoP59mQfsWgbOzJ1dg4Ojg
                                                                  MD5:B31501F2DC2CF441FDCB8A821B3D5EB6
                                                                  SHA1:320B1308D98A8CF5EE621259E28621BD9D720517
                                                                  SHA-256:414BE9395045E9FB09C4A140DD6AD426359553B766888B547C34CC230A7C4E65
                                                                  SHA-512:EFEA2733FBBF243E4FB06FDF08A595D781062BCAD6FA66FD9F6E34E787BB903E28BAB3FEDF133706AE82181922F8A49988FC4AEF066629455F152F405CA9C640
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Fw..'...'...'..r.g..'....d..'....t..'..&(D..'....b..'...'...'....w..'....c..'....a..'..Rich.'..........PE..L.....J...........!.....0...p......n2.......@.......................................................................R......LH..d....................................................................E..@............@..8............................text...k(.......0.................. ..`.rdata.......@... ...@..............@..@.data...t?...`...@...`..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\MoonPosition.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):45056
                                                                  Entropy (8bit):4.350499357385996
                                                                  Encrypted:false
                                                                  SSDEEP:768:e20V+JrhhRBgZoP5XblRUZNA4RzasDtR/nubOje2qU9XQ:D0VerhhRBgZoP5XblCZNA4R+6tRPQOjr
                                                                  MD5:675F750BB1E828C77295E87591FBF838
                                                                  SHA1:2D4DF675AD1E4A1F6CFAEE963351E637E7355BAF
                                                                  SHA-256:AE0AC3461A4CE87282165974FCE39644A4F772E0416198A9E92547F8A925DD6B
                                                                  SHA-512:94E9389089C00B2435AAD4E99EEF4DAAF86CCB7EADFC3D89B7A250125D436981CC9FE1F97E2816685D0D6A9FED6F3328583CF291F967B2AD2B1920797B5A34A4
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Fw..'...'...'..r.g..'....d..'....t..'..&(D..'....b..'...'...'....w..'....c..'....a..'..Rich.'..........PE..L.....J...........!.....0...p.......1.......@.......................................................................R..H...LH..d....................................................................E..@............@..8............................text....'.......0.................. ..`.rdata.......@... ...@..............@..@.data...t?...`...@...`..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\PersonalEncrypt.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):29696
                                                                  Entropy (8bit):3.1796916257242582
                                                                  Encrypted:false
                                                                  SSDEEP:192:2YY158ukRAwyOdNIF40OPdrpeGHDtWMQBOb3X7U6CkpbUD:2X/8uiAwNI9CMGHEM8OjrU69s
                                                                  MD5:609BBE6D1BCAF5ABD8693A20DB5900AA
                                                                  SHA1:B32CBF4869E9DFA918671DB0231FCFAA323F091B
                                                                  SHA-256:3503041E1AEF1E9C10D92647D86C17B89C67BF2718FB08B87020E4FD09F232E8
                                                                  SHA-512:EE7147BB7EE6720E64D10B142E09922F12B3903BA539DE15A9C32DDE607F89642733437AD3551AB54C60074C64159FC128A5AA8F91FB7C890B498DAE84E0148C
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DQ6y.0X*.0X*.0X*..&*.0X*'.%*.0X*'.5*.0X*.?.*.0X*'.#*.0X*.0Y*?0X*'.6*.0X*'."*.0X*'. *.0X*Rich.0X*........................PE..L.....J...........!.....D...0....../........`.......................................................................r..........P...............................x...................................@g..@............................................text...mB.......D.................. ..`.rdata.......`.......H..............@..@.data................`..............@....idata...............b..............@....reloc..G............p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_MTCaller.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):3.5660080974904345
                                                                  Encrypted:false
                                                                  SSDEEP:384:Z45AODgApiQmr591QEj70ElM8O3rBha0++Wh:u5AMMZ5377dbO3p+9
                                                                  MD5:B39725E54D1CD12616B3D198224A9A1B
                                                                  SHA1:A4EFCF4D55D3CBD04D461CCA604DE7266DF4666F
                                                                  SHA-256:88D8766B6142047A4A1937B30A2255CC4050031333DF9C7F4A5F6FB346F94BDE
                                                                  SHA-512:1985A0C2A6B609E9BC263F005B103314F50E77AFB1B5AD78D5C471E1DFC437E9640652BFEEBF480220E61696E6DF4B6BF4993BFF922EBA3DB2BA0D945D6873C0
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..,f..f..f......g..A...d..A...b..A...h..A...o..f..)..x...d..x...g..x...g..Richf..................PE..L......M...........!.....J...6....... .......`.......................................................................s..Z.......d...............................D....................................h..@...............(............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data................f..............@....idata...............h..............@....reloc..#............z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\Q3dTool_StartProgram.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):31232
                                                                  Entropy (8bit):3.4076460536828983
                                                                  Encrypted:false
                                                                  SSDEEP:192:6cY6d2B+isCvh6rBSWMvIM1FUFjhATpZytqrWMQBOn3X7BEqx3U3:6cY6d2oid6rBi1FwhAT6TM8O3rBh3
                                                                  MD5:D57910A2594728218098A1D1312BD794
                                                                  SHA1:25E8EC27D9EE56E13DAA53791DEE63CD9177413F
                                                                  SHA-256:318FEDFC30DF27BAFFE6E10F6E3D7FF3CB2C7D6BAAF4593DF272B3172CEBA1C5
                                                                  SHA-512:CF9DA26C422F3EB6E54BCA130DC9910590BAAA93F60A8A850383D7D1151995A0BAC4812B1C0D8C66EFE7FA25A2F3411951EBE606C4BC68511557199A3BCB1F8F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,H..,H..,H.qRH..,H.sBH..,H.sAH..,H.sQH..,H.sWH..,H..-H.,H..H..,H..H..,H..H..,HRich..,H................PE..L......M...........!.....J...0......U .......`.......................................................................r..........P....................................................................g..@........... ................................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................d..............@....idata...............f..............@....reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SetTexturePixel.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33280
                                                                  Entropy (8bit):3.5565607566502804
                                                                  Encrypted:false
                                                                  SSDEEP:384:CpXh3kpbfLdfIKeJzzliReqM8OjrsV5OqzV8:C9h3k5hfIKkAReqbOjKBV
                                                                  MD5:AA67FB3ADA40BF4AA7C69FDC287F9FD5
                                                                  SHA1:F46BD6D1B6D0C74036F55662076C1477967C9F56
                                                                  SHA-256:A2A2D68F99E3FB45225FB6F0EF642EBE1826086C6756D1C5A0EEE8195F0A1560
                                                                  SHA-512:FBCC63371650BC02D8E3CD84A59EE7DCA3DEAFCCE97754C1A52B74D2CF26020B35BE6C40868873F32BB61B000D1EE44EC036ED2289DAFB85F316008B0C912B69
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w4..Z...Z...Z...$...Z...'...Z...4...Z...7...Z..n...Z...!...Z...[...Z..`..Z..`....Z..`....Z..`...Z.Rich..Z.................PE..L...d..R...........!.....L...6....... .......`............................................@..........................s..........P....................................................................h..@............................................text...MJ.......L.................. ..`.rdata..\....`.......P..............@..@.data................h..............@....idata...............j..............@....rsrc................x..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\StartPathChannel.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):43520
                                                                  Entropy (8bit):3.80305506012561
                                                                  Encrypted:false
                                                                  SSDEEP:384:h5+doxXwUL+lwm7cNn99Djtz/KbP29aHrHLcLikM8O3rU6CaV:f+dL+19fFaHrHLgbO3
                                                                  MD5:D688948EC75B76428DF3EBEFDB3B7E2A
                                                                  SHA1:14B348091EA5A82601CA2FE88E942E87F81FB8FA
                                                                  SHA-256:6A80BDDBB3415C9D4D8F095F2499CC07AC6A2763505F4C4DAAF78C11EF8587DE
                                                                  SHA-512:95764695939A20FAA14F50A45851767474E79428E436689E6E41F201B98311F6AB4940E8949BDEF832E41C19F48EFCF7D8D62F0B912E403599A5DD4596C7FE86
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...........j.................>.........................................Rich...................PE..L...$.(K...........!.....X...R.......,.......p..................................................................................................................l....................................z..@...........P................................text....W.......X.................. ..`.rdata..` ...p..."...\..............@..@.data................~..............@....idata..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunInfo.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):6.01193164293979
                                                                  Encrypted:false
                                                                  SSDEEP:384:BmZ5J+pB1IzTm6mkvjGuMXFM8OjrU69Isx:BmZ5J+pB+zlmkLvMXFbOjg
                                                                  MD5:2A0DC0D69612B4E32AF603F2F6DC45FE
                                                                  SHA1:B6AD4F114A9DF79EA9A2D7DA3BF593C126B4E994
                                                                  SHA-256:AA7C21E39AF6A25744FC4BF78BAA30640B30FE4E8A9870FEBFC74D9B3F17F37A
                                                                  SHA-512:FD1BE70CB68B54A03C78858851204C6BFA78BC530081EC35BFF9A3C2B8A2ACF7D75FDBF92B16691EF04FEE46F0E1C4B2BDD1E4C90FF21696F8A063AFC68C3D00
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c..c..c..2...c.....c.....c..fl..c.....c..c...c.....c.....c.....c..Rich.c..........PE..L.....J...........!................Z'.......0...............................p.......................................A.......6..d............................`..,....................................4..@............0..,............................text...[........................... ..`.rdata..!....0......."..............@..@.data...t....P.......6..............@....reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\SunPosition.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15360
                                                                  Entropy (8bit):5.959762976198366
                                                                  Encrypted:false
                                                                  SSDEEP:384:mmZ5J+TB1I22f16menGXK0cM8OjrU69Up:mmZ5J+TB+7QmenWK0cbOjsp
                                                                  MD5:7049D4C7B32784D59279B5FCA1A6FF3B
                                                                  SHA1:A4A7F6896CFA5B6C3EADBEBA41CFCEBECBB7E5A3
                                                                  SHA-256:14E1D69B8958EC616F531DCF96E9FF79C962010058B973FBFF326CD836D55205
                                                                  SHA-512:7A7652B0AB41C37FCB12E338B5E95414005892DBCEF20DE7F72C7DA2B62CB3F8AE2AEE0131383DF6DD7D2AC557CD8330BB341D1970DF7B59FB870FA1A80C5C8A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c..c..c..2...c.....c.....c..fl..c.....c..c...c.....c.....c.....c..Rich.c..........PE..L.....J...........!.................&.......0...............................p.......................................A..=....6..d............................`..$....................................4..@............0..,............................text............................... ..`.rdata..M....0......."..............@..@.data........P.......6..............@....reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMCommand.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):34304
                                                                  Entropy (8bit):3.6193706151071665
                                                                  Encrypted:false
                                                                  SSDEEP:384:4MaMjnfE3J7BaD+aY/roa1pOZfM8O3rU69b:4MaMjf6BaD+aOr11ibO3j
                                                                  MD5:83D5F8F5365291A41A34997219B9B798
                                                                  SHA1:813FB54FB361680EEACC61406F6AC80296836DF1
                                                                  SHA-256:E8AC6ACF9CD4ECDD6FB65A36092677E74B0A4828BE8F8B38A33E915CBB76B378
                                                                  SHA-512:C8AF289DA920A7E5D06CA25D1177DC63976047192E3E4FE4CD5AF6677CD1809AFD6929610B726CDBBF3E71A7FF4C593167A8C441CB705DE653CF054944080EA9
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V)t..H...H...H....d..H..5.g..H..5.w..H...GG..H..5.a..H...H..\H..5.t..H..5.`..H..5.b..H..Rich.H..........................PE..L.....J...........!.....N...8.......$.......`.......................................................................t..t.......x...............................T...................................`i..@..............L............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data................l..............@....idata..,............n..............@....reloc..7...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\channels\XMLDOMObject.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):52736
                                                                  Entropy (8bit):4.117178959507796
                                                                  Encrypted:false
                                                                  SSDEEP:384:+h35StDh3/FzTh1ocpZUNGQGvr0irDzcnxivx8JxBB0M5OArW69XW:spSlh3KiqNGQGvrnzsivxexBOmOAR
                                                                  MD5:F463280083D4D787065788461EC7F105
                                                                  SHA1:04B6A0553EF49A76D2EFA93E27E9DE8C819B019B
                                                                  SHA-256:40E55827F796B0CD45922F52270D503D2619F61C6D4EE89FD07E7CDA431FEC67
                                                                  SHA-512:06B8C1F616C1A9F568844D30DD5BB11B62F1C213F0BE262DE16120B2336B2651EE14796EC9F4FCFC3781D4F2B277B6EBE6E0FA094779D63E3AFE55F8AB7C1754
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................py......{......{.....$.......{............{......{......{.....Rich...........PE..L.....J...........!.........@......eB..................................................................................(.......................................P...................................@...@...........p................................text...o........................... ..`.rdata..............................@..@.data...............................@....idata..............................@....reloc..e...........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\content.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):115971
                                                                  Entropy (8bit):3.47673272078178
                                                                  Encrypted:false
                                                                  SSDEEP:192:I2cgjfTHcEVhYacEVhYacEVhYacEVhYacEVhYacEVhYacEVhYacEVhYacEVhYacu:9h+w
                                                                  MD5:601B9221DCB1B6355DAA8D76F84638EB
                                                                  SHA1:9B8EECF7EF7D85B3009D4E94DB34F6DF662B1326
                                                                  SHA-256:0B7B0F518E57773C46A8AD4B6B1581E643D8E89C06E1EFD0A35C3BEEFFDE9831
                                                                  SHA-512:D432C301ADF08968DA639E30E76911FDE0CE9C55385DFC9195E86A7CEF94B00B1E82CD89BEA2C133611C10CEAFA7CF9933FDE9647061DBFABA3BA87E8B332AD5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....D....###.###4........###o{.T..Q.....A....Q.###....###.###.B...###Ny.~..:...u#2m+.B...###@J##.B...#######.B^4.###.<%u0.m.u.0um%.d<#.B...#######.B3..#######.^...###.......4............###.###.....^...###.M..a.&..Sm..~..^...####.^.^.###..u%.m.u.d<%u<%##d#0#.#E#D#.#u#.#%#E#&#.#.#.#.#.#)#.#.#0#%#u#.#.#m#.#.#.#0#m#%#.^...###.###.^.......####.....###.###..Q..#######.....#######...^.###.u%.m.u.d<%u<%################################################################.......###......###....2.Bv.R.~......###......###....2.Bv.R.~........###.d<%u<%#.<u.#`.......)..........X`.......`..9....(....NO`..N)...`..X)..=c...)...(..=).....]...Xc..^.###..m...<.%m<.u....m.u.d<%u<%#.*...S..5c..........9...#....*..........7...=*..........O...#...]}...S.....#######.....#######...).###.###.....^...B..###.###.B.>.#######.B...###....2.Bv.R.~....B43.B...###.#.B...#######.B^4I###..m...<.%m<.u....m.u.d<%u<%#.B...###.###.B3..#######....#

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\contentLite.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):13270
                                                                  Entropy (8bit):3.9352895176161735
                                                                  Encrypted:false
                                                                  SSDEEP:96:4ICg+hjyym8kHWbKgJEJEJtxI4tIZRxxx0UjWskdyyyXFlsqm4:4ICFh2DlsidWb4
                                                                  MD5:BECC415F6F395A9AE2AD24C367BA0025
                                                                  SHA1:B1F2C219A4284AE9FE74FC8AB4FFF56F08564DC0
                                                                  SHA-256:C8D8B285CD984A3151918C8E8C01F519AFDD832CEC6ADF01A4F8414654BCEF5B
                                                                  SHA-512:0A9DFD7A210B594B5222F926F62AAA96F4EC07A457CEE8661FAC991E8D1AA8DAF43113CE7EC46EF2EF5D00B596D68D104FCD2E16EF3AD3E503A6D26736BC52A5
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....V3..NPMS....B...NPNE.....NPE3.....?q........._......d...%$Q.M(.l;m..{7N....................d....jV=L -.KL.J...o.......#....k..........v_....k.RJ.F..J.J.R.]...k....................kvk.d.....T){3..C/-....k.k.........k.k.kvk.d......S..hx.....kv.k.....kvkv......].RJ.R..RJ...I.]..O..?.4.J.+.R...4.8...H.....H.3..R.J.8....H...4...R.kvk.........kvk.kk.".....kkk.........kk......b...kk..........kkkv3....._.R..RJ......................................................................kkk.kk3".....kkk.d............[es.dpkk3".....kkk.d............[es.dpkvk.kk.".....kkk.........kk......b...kk..........kkkv3....._.R..RJ......................................................................kkk.kk3".....kkk.d............[es.dpkk3".....kkk.d............[es.dpkvk.kk.".....kkk.........kk......b...kk..........kkkv3......R..+..RJ..................................................................kkk.kk3".....kkk.d............[es.dpkk3".....kkk.d.......

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\cp80_Q3D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):548864
                                                                  Entropy (8bit):6.401981856876486
                                                                  Encrypted:false
                                                                  SSDEEP:12288:b14yu7vZ0kPjOf1FcUt51U+hUgiW6QR7t5j3Ooc8NHkC2ek:b14yu7vZ0Ki9FDtrUa3Ooc8NHkC2ek
                                                                  MD5:336855174A8F8EC2854C9BF5DFF32645
                                                                  SHA1:284C66D0857FF398142D6F3F12C4EEB96FECC711
                                                                  SHA-256:2901B2F6727087D42EC4B40E319E827847ECD4D3C71F559D7B8C5E5442286CCF
                                                                  SHA-512:AC7D04315209646539DB3DD9F5B77A14C9A8AD110AA5D50F094FDF323DDF66231456F3D37FEF6D94AB00B16109465C583641CE88DCC75430B7752954ABAEDF7A
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...Z.H...........!.....@... ...............P....B|.........................p............@.............................M...d...<............................ ..P2...S..............................Pe..@............P.. ............................text....;.......@.................. ..`.rdata.......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\cr80_Q3D.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):626688
                                                                  Entropy (8bit):6.834110077145174
                                                                  Encrypted:false
                                                                  SSDEEP:12288:rb+HUIWn+P14Uy3rVLuNhr46CYf4mGyY:ryHRWn+/y3R6Ff4mGyY
                                                                  MD5:F0B72E15630D427D9293D4A528CCAF23
                                                                  SHA1:050FAA2CDCFF66EB2CDA2AB2B10489F3B50B4FA2
                                                                  SHA-256:01EBC78156571E208BBFFD53CBE3E2F141FC30B3E9B9D139F9A0CB3DD3CC9B57
                                                                  SHA-512:2C1FE166C304CA8E08E43002AB6041132EA12CD2653C94426573371F0FA6614D98131B68E392FAA6D38D8B12BFF33A0A78B4BAF6A1E4B546D31813EE737BAF5F
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.L............@...........................;...............d...........................Rich....................PE..L...<.H...........!.....0...p......F .......@.....x................................%.....@..........................p...~..pb..<....`.......................p..$3...B...............................F..@............@..|............................text...J$.......0.................. ..`.rdata.......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\2dArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):727131
                                                                  Entropy (8bit):7.417919481224035
                                                                  Encrypted:false
                                                                  SSDEEP:12288:rajdSsv66ACLsqAfzk1vAX/Df0FuFlD9e4pE3zMRivAUuN:raxvvLCLkVsb8e5pXeAH
                                                                  MD5:DD7E48305E4224C26A07918D4A7127BD
                                                                  SHA1:D28BDFB5779E8D218D8683F414D6C00B9ABD6F96
                                                                  SHA-256:576DD9215B11B97273F564E11FE9AA70366F3EB75C6DCB2BA41B5B4B84E6791F
                                                                  SHA-512:6EC53FD528541D9F0E2045B40A2C53695A0892D94BD3926CEA7C037DB78AE817D3CAF480C2A9E67C80B6C1F0A8A55A65D1EB68990FAA0519EA7FBB4BA9DF7608
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.........&&&'&&&.FMO.OOOI&&&]...U;X.[...=...O...&&&..Ot..&&&.&&&.".YI&&&%C...1.M..P.&..."...&&&'.&&."eY.&&&&&&&."\..&&&e.............s..&."eY.&&&&&&&."X..&&&&&&&e\eMI&&&r..94..Xv..k..6.e.e..&&&+&&&e.eYe\eMI&&&V2n..F.G..G...C.e\.e.&&&&e\e\.&&&s. ...&.}&.&.&q&.&.&.&B&q&.&.&.&.&.&q&.&.&.&.&K&<&.&K&.&.&.&.&.&s&.&K&.&.&.&.&.&e\e..&&&.&&&e\eYee...&&&&eeeY.&&&.&&&ee.Y.&&&&&&&ee.Y.&&&&&&&eee\.&&&. O......&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&eee.ee...&&&.eeeYI&&&...l.D.......m.ee...&&&.eeeYI&&&...l.D.......m.ee...&&&. ...&.s}.. &&&&...}&&&&&&&&&..&&&&...}&&&&q......q...&&&&&.&&&x&&&...&&&&.&&&J.&&.&&&..j&&&&&..jee.\.&&&..s..s.}K}......&LL&&&&&&&&&&&&&&&&...}&&&&&&&&&&&&&&&&&&&&&&&&&&&&;..};..};..};..};..}kk..G.&&.I&ee...&&&&&&&e\eYee...&&&&eeeY.&&&+&&&ee.Y.&&&&&&&ee.Y.&&&+&&&eee\.&&& s..... &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&eee.ee...&&&&ee...&&&&ee..&&&&&.'e\eY

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\3dArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):222045
                                                                  Entropy (8bit):4.619110248892444
                                                                  Encrypted:false
                                                                  SSDEEP:1536:4SvoVhr76WcORht4EK6k1qTavrwBchMWnu:4SAHRqju
                                                                  MD5:505CB0D5A697BB11B6018B4629142EA4
                                                                  SHA1:C8E5310EBAD1096ECC294D769A5E0172AFBF5EDE
                                                                  SHA-256:611B6C8E4D867803B7C4E2AA06CCB477D443D83B64EE35B5DAB7FA1A0B2A8075
                                                                  SHA-512:B71472E01FE0C0A0855A979C23F787969167DF74E18DD7B0C2553CB88C2C8B3FB89D2CD000444DBDB474BC5E42B2FA266510BB93CEF5DB4E5E227BE7ABAFEB7E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....b..NPMS....B...NPNE.....NPE3........._.........?O???)...Z=hE........Z~=DO?.e...eO?.O_...e...O.Oj)........u(.........O..._....=..O..j_.......O.T.$.....=.m..O...=]...O..j_.......O..O_........T..)...IIQ.K...&..s.w.#.O.O_........O.j.T..)....._.k#.N'\+.....T:.e.....T.T:...]..=......s...Y...........6.....=...N.6./.0.d.F...d.....=.../.]...d.O.6.....=..T.O_...`....T.j..:.e.......j_..........j_.........Oj_..........T..........=Y...........................................................................e...e...j)....:......tS.P.......e...e...j)....:......tS.P.....:O......=..]C...a.2:>.2...2..2...2`..2"y.2.i.2...2.,V2.`V2...2.\V2...2.c.2..V2!..2.".2}q.2..V2.*V2.....:T..........=Y.......2.\V2.-V2.l.2.{.2:..2.a.2.$V2.>.2:.V2.~.29.V27..2...2.J.2.a.2...2...2..V2...29....:O_........T.j..:.e.......j_..........j_.........Oj_..........T...../...................................................................................e........e......._........T.j

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\CMS.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):2581427
                                                                  Entropy (8bit):0.948801575528081
                                                                  Encrypted:false
                                                                  SSDEEP:1536:NiTRIa+7j6gRKROkkCkkkOW7Fe3U3/GFt1yvn+KvItgj0lKAAww3Ck3n8UamF4FG:ocasnF4FzFtFF+
                                                                  MD5:61AD55987C4C8C5F7AA94F72B73F35FF
                                                                  SHA1:4702977B51654B58744B85564A9C6EC04D381F4A
                                                                  SHA-256:F8C1585A35566FDC9C27DD16CC6D70C185A8474AEFB0E1BB832488EFB3A6B566
                                                                  SHA-512:A77B9381F964EBDB4972105539EBDA9ED6AACBA167625C63D7793CC4383304F5D7ED2E6BD02A3ED7998DFB66D18DF31D2C941A0EF385C8DD43F933928FC5F12F
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....3c'.NPMS....B...NPNE.....NPE3......w..X........(.(((......M.........Y.3..(.......(..X.......}.?.....~q)...,)...-T.}..X...W...}.?X.......}..p....Z..h.TS..h.T...Z.}.?X.......}..X..............l.)....|2._..X...X.....?........9C.......J.?................L.....Y...G...7...h.O.............e...j......U...\.h....j...T......h.T....X........?..L........?X.........?X.........?X..........\......Z.L.7.Z..7........................................................................\L........?....6.5.&t..K.~o..M..\L........?....6.5.&t..K.~o..M...S...L..T....Z...Tgm.Tgm..gm..gm.TgmdSgmxTgm.gm..gmN.gm.gmY.gm..gm}.gm.gmd.gm..gm.gm..c..c..c......S......Z.L.7.Z..7.cd.c.!.c..cd..c...c..c..c.c.!.c...cV.c.!.c.!.c.$.c..c.!.c}.c..c..c.!.c*.....X.........?..L........?X.........?X.........?X..........\...S..j7T..............................................................................\L........?....6.5.&t..K.~o..M.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\contentClasses.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):29045
                                                                  Entropy (8bit):3.5998670640731536
                                                                  Encrypted:false
                                                                  SSDEEP:384:4WFKs0OKKKiKKyKyH/BBJ4rMaXqxJ52XxU:9F50OdULJ
                                                                  MD5:4FA9106DADA81B06993B41B2948E44BE
                                                                  SHA1:172AF17DD4CE7128FB50A5568E50ADFC515DCD6C
                                                                  SHA-256:3A0AA3B79A83A60077E3111CEFA92CC204FDE47BE1F1730E93A8B9C1B3AFAFA1
                                                                  SHA-512:5087E5EEDA6749214DC8E3133CA6943582536A308AB5BE41F471D159182C48CCCAF141FD03AB9374DD1A7EF60AD2F3CAB306874513DDF2CC022ECD386921E6A6
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....p..NPMS....B...NPNE.....NPE3..........vvvrvvv*u.....vvvLX.F..p....ygG2.7.vvv.....vvv.vvv...vvv....)J...)..v......vvv..vv....vvvvvvv..*.vvv.?...i........?v....vvvvvvv....vvvvvvv.....vvv...n.s.7<.#.........vvv.vvv.........vvv...].\A)&.c._.....8..vvvv....8vvv...*...... vUv.v.v.v.v.v.v.vHv.v v.v.vfvHv.v.v.v.v.v.v[v.v.v.v.v.v.v.v.vHv.v.v.v.....vvv.vvv......8..vvvv.....vvv.vvv..7..vvvIvvv.....vvv.vvv....[vvv...?.?A vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv......[..vvvv....vvv..Q;...qU.....[..vvvv....vvv..Q;...qU............vvvu.:T+K7.h.....FW..8..vvvv....8vvv....... vvUv.v.v.v.v.v.v.vHv.v v.v.vfvHv.v.v.v.v.v.v[v.v.v.v.v.v.v.v.vHv.v.v.v.....vvv.vvv......8..vvvv.....vvv.vvv..7..vvvIvvv.....vvv.vvv....[vvv...... vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv......[..vvvv....vvv..Q;...qU.....[..vvvv....vvv..Q;...qU............vvvH..nzJ...0H......8..vvvv....8vvv........D...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.2dArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):117247
                                                                  Entropy (8bit):3.391904417565738
                                                                  Encrypted:false
                                                                  SSDEEP:384:V2S9qcMtNRwS2rS2puFOjcR2St1die7TBk0:CySsSTFmcR2St1Meb
                                                                  MD5:A72F19110C9D487D965E44295EDEFDB2
                                                                  SHA1:4BFB8008A93B9EB5DD83EF21E7E63A397B4AA234
                                                                  SHA-256:DCC1810B8911FC839868A8EA4A07506945C171159BCFCB052DB14DB0DB6DFD0C
                                                                  SHA-512:6BAE2AFDA1C2F615B6AB80931C96578E0234FBA1C92285BA1152FDDB4B3AE6A943EFA93AE45ABA036D28FA8FB145370F892F17D269C898F274BD85924641ADEC
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....W6..]yyy0yyy;.e......yyyi..}aC..(wgH......."'yyy'....]yyy'yyy.....yyy..1..Afe$.8.yQ9.....]yyyX]yy....]yyyyyyy...;.yyy....L9*....9.X.y....]yyyyyyy....]yyyyyyy...e.yyy....V..>.p...Z.....]yyy'yyy.......e.yyy.g.7lY.5..=.).1 ..O.'yyyy....Oyyy......;..y"y=y%y.yXy.y.y%yWy.y.y.y.y%y.y.yVy.y.y.y.y.y>y.y.y.yVy.y9y.y.y.y.y9y.y....]yyywyyy......O.'yyyy....]yyyZyyy..".]yyyyyyy....]yyyyyyy....>yyy.....;..yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.....>.'yyy'.....yyy....}Q......Y....>.'yyy'.....yyy....}Q......Y....O.*yyy...H..;..y..yyyyN...yyyyyyyyb.{.yyyyN...yyyy%pL.'yyy%pL.yyyyy.yyycyyy.]yyyyy.yyy.'yy.yyy.C.'yyyy.....O.*yyy......;..y..y:::::::yyyyyyyyyyyyyyyyN...yyyyyyyyyyyyyyyyyyyyyyyyyyyy......................yy.Qyy.y..O.]yyyyyyy......O.'yyyy....]yyyZyyy..".]yyyyyyy....]yyyyyyy....>yyy..............yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.....>.'yyy'.....yyy.O....{..1k.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.3dArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):108339
                                                                  Entropy (8bit):3.3363905717560036
                                                                  Encrypted:false
                                                                  SSDEEP:384:xxnf7QP7dD7TI57O67zxXO07sG7TpS1cJG6A39HT7uK:xxf8lyjTNy
                                                                  MD5:392A3D2770E15752F7520A5DCD684287
                                                                  SHA1:46D57EACCBCE41B702557EB2B8ADFFE9C259B36B
                                                                  SHA-256:A041E12ED0AF13477C6ADE59395B068A7E663A2DF02BA15A0AEB8BABC58E72CD
                                                                  SHA-512:88513F48445697AA9593E5BF7180DE782DEB54C3A8CC62604D919E585526521E8D70F3083630F386B54B1E1B92DAE0D0AAA1622260B94960B45EDD61A859660A
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......W..Y.......Py..........ZD..S.O.*.......F=...=....Y...=.............&.......m.q..Y...'Y...{.Y.........P....{X..Gg.b..G...k'X..{.Y........".Y.......{.{......PKBe... .Y.Yp..{.{.Y...=...{.{.{.{..........P,F.c.pF..{.S{=....{.{.S...k.Bky.PG..F...o...'.G...o...B......o.(.B...t....L..].G......k....B.G...{.{.Y......{.{.{{S.=....{{{.Y.......{{F.Y.......{{..Y.......{{{.]....Bky.PG........................................................................{{{.{{].=...={{{.........m...:....r.{{].=...={{{.........m...:....r.{{S.b....Bk.y.PG.....7...Y;..2..........A...$...?...........;..?..e...0.......3-..S$..e$...Z.....>.....{{S.b.....{.y.PG.......d....;.0......N....$....;.6^...u...=;...;..........;..Y;.9....=;..=;...;..d...Z.{{S.Y.......{.{.{{S.=....{{{.Y.......{{F.Y.......{{..Y.......{{{.]........G.....G..................................................................{{{.{{].=...={{{.....ST ..".r.K....{

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.Didactics.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):121116
                                                                  Entropy (8bit):3.356954571678176
                                                                  Encrypted:false
                                                                  SSDEEP:384:ijYEfIssN+dss9N23nsZCN+OpsIN2ZVHs9VhshN2ru5sFN2ndytwseZjdytRseUZ:3M+mdDjdvQykS11
                                                                  MD5:2AF44F4FFD73926AAA94B13D24230050
                                                                  SHA1:4811BD6B155EDF7C5816EDD7BF505ED7820A4971
                                                                  SHA-256:8271AEA4CB3997596C52319280DD5710C568D056206278DEFDAB576B920E7540
                                                                  SHA-512:68DAEE3E0D13E1F78DF342CC3FDB5EADCBADDB0BC7F1EABC7624CB1F0D6B29344EB86ED25A47D0FD453E7183ABA64EDAAB42D8A9889F970378E439581C79E7B4
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......m@...........;........7&?.9.Vs...:...7..@J.............s.......C...0.;D..U.Rv,.s...........s...........s........2U$!v.U.$Uv2....s...........s]............;...........I..`r....................;....G%..........d....-........-......;.*v.2..`.....$.........U.`.2..................$.2.U....v.....$.v.2......... .........-I...........c.....J..............................U22U$`.U22U$`........................................................................I...........l-.k7.F]..h..5W...I...........l-.k7.F]..h..5W..-.........;.*v.2..`....5[.................5[.......!U....!U.........?.....|.........#.....M.......M..-......U22U$`.U22U$`.......................5[..............................V[..V[..V[..V[..V[.LL.).R.......-...............-I...........c.....J...............................;.*v.2..`..........................................................................I.............5.KRMs..'..).i.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.Frames.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):98518
                                                                  Entropy (8bit):3.5729171123719206
                                                                  Encrypted:false
                                                                  SSDEEP:384:zhlHYElYyMZPbOYEEkAHe9L75vaC16LLwJwWwlOYEEkj1L7TtUQrhIZc3vI8jTks:NlHVaRebW/8xh5/IHfU2KDlFqXY
                                                                  MD5:9EA2AB2EE40C2B3E06ED21E0586477C5
                                                                  SHA1:7C0D90EBED1D8714418668F9B213A98BD8B83C4D
                                                                  SHA-256:9EBCB362618802DCB0539EDB2A5040E4641541F7F53A6A811A9EBF4C73087830
                                                                  SHA-512:DBE91E5E66FA1FA1D858794EF7FA9E00467F864EE41877A1BDBC57E691FE2BC0B00B9A71855DCC249C85254AD9FA5F3E6BBC35DD632955F515726E50E76CFE15
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....V...NPMS....B...NPNE.....NPE3.........`.....(...g...>.....I...Z...9.-..g........g.Cg`.......g.g.>.....8....:.)..<.Ig...`....`..g...`.......g.-(s.....t.....g...t....g...`.......g.*g`........-..>.... g..J*.&....>r.g.g`........g...-..>...#{....d..c..e....-.......-.-............@....................@.t...w.....i..4....|..t.........g.....t..-.g`........-.....#.........`...........`.........g.`..........-|...S.tt..@..tt..@.......................................................................|#.........>......f.u1*..8...M..|#.........>......f.u1*..8...M...g...S..n.....@.....Q...Qd .QT..Q..Q..Q>..Q...Q.0.Q...Q l.Q...Q/&.Q.z.Q.&.Q...Q.f.Q>{.Q..Qp..Q}..X.~....-...S.tt..@..tt..@.X.l.X.RIX.I.Xx.X.RIX.5.X>>IX..IX..IX..IX.%IXB.IXZ].X..IX.1.X..IXx.IX..IX.3.Xp..X......g`........-.....#.........`...........`.........g.`..........-|...........@............................................................................|#.........>......<P.HA0S..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.Gallery.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):118679
                                                                  Entropy (8bit):3.2092734818836517
                                                                  Encrypted:false
                                                                  SSDEEP:192:SLD46H9W4udyr7C4848AuAUdUdU1UVU1Uunt+K5cg4tgLAEW4RpzlLA24olLAC42:EZZUdUdU1UVU1UuF55BpB7lOSFm2eU
                                                                  MD5:FE4632B8E9C33F29431D1789C21D2C99
                                                                  SHA1:8C639E0D28F7FDA196E0B68F781A758FEC2B0A8F
                                                                  SHA-256:D1BCF492633E5BA8F1C0F907B5A24F8EE1387A2D453EAC72425E7F461B277528
                                                                  SHA-512:76820D2FAA18B74B4DD54B410FF7917AC20828AAA10B90738A2B8BF674F16C07282621BF757CEA8B83A14BEC6B23418B846CB96BC9924638FE18A2F2BA7F5DBC
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....R.............Tq.qqq}.....1..5qQ.b(..H.q.......q............x}........U.T..J..3=B........*.....x...............8...=....=..*8...x......................T}........D.a..5#-A+............x...T}...~.H....^../...<...................qp.q=....-..b..*...t.b.R.p.....b.^.p...-.f....f.o..........=.f..p...=................x...2........x..........x..........x............o...6................................................................................o2........x}...).G.Y,{..].g<.....o2........x}...).G.Y,{..].g<...........6p. q=....-......<......N7..!=..}.......<~......mP..$....q...f...P.............<..........m....*.........6...........q...i..}...<....u......N...........q......}...@.......@O...p..............0....~................x...2........x..........x..........x............o...qp.q=....-...........................................................................o2........x}.......A3...d;6.]'.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.Lights.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):145092
                                                                  Entropy (8bit):3.5028747597472494
                                                                  Encrypted:false
                                                                  SSDEEP:384:sNX6DBK36uI84173hfL84IK7nHe184T7kJJF84d1R81j19ojc2+E6S181B/1p1Vg:uXDeXxsqd
                                                                  MD5:A78801E3BFAEFC4CCB0DCA3F3D077BE5
                                                                  SHA1:772B30FB2030C66842C90B51A5188FDF75465B57
                                                                  SHA-256:80DFC21C988304DEFC94E0F4E339067BD146AF79AA0825F4CC0AC25153CC9FA1
                                                                  SHA-512:62C9C58BF93FD32170926168988B109E7E37185E3BB1B798255820D542292EC1E3F72868DA7ED0A30A40C301724D165CCD89E2AF9F068B12E4CF43CBD3BC2AB3
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....D6..NPMS....B...NPNE.....NPE3.....J?.b........Q'B!.!!!H....eJ.....Y.....!.......!".........^.8H........,.B..(....^bb....\....^.8.........^.Q)....a.t......aM\...^.8.........^k............BH...3B...v....y4Nb2..............8...BH...w.`......!Sd..................M!2MkM..a......n.\...w...J.2....a.....2....{.|..{.....a...M..{...2....a.........x......8...........8.........8...........8..................aa..b.aa......................................................................b..........8H.....o....k.D.....:..........8H.....o....k.D.....:.......2M.kM..a.......H1.......u..f........+..^ ..H.......H.... ...u.......2..mJ..............>R......z..........aa..b.aa.......^k..........pZ..^....w..z....r......v...^p..m1.........l....*..z....{........................8...........8.........8...........8................!2MkM..a..........................................................................b..........8H.......U.^*`i...D..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.Plinths.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):103952
                                                                  Entropy (8bit):3.2422136962863126
                                                                  Encrypted:false
                                                                  SSDEEP:768:HP9xNrSNF/jnJnmNLNwnLscnRnkNTndn7MrMDMP1o+nPnvDnLwn/zs1nUxMzsXnM:ta3fqP6
                                                                  MD5:4988D65792D7CC9910FF74EDA27FED26
                                                                  SHA1:95B2289E72F3296E65A2247416A43365B6426927
                                                                  SHA-256:6C45F69949628F7217683297B787A235FD776ECA2F279363BED10C4C27CC8A35
                                                                  SHA-512:302BB071CB8740DBA302F2A9754599E314C30E6D72DC03D94D073D29E14DC7453A28A7F8EAC1035F6D1BDA043408330256623D7ACAD8650BFAE7006BBB0C1BD7
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......:[....+....3........w....X.Ml<*.L..[..[..............g......T...u.6..u-...I.g..........gM..........gs.j...M4.."1.$.".....4..gM..........gG.........MsM.....$.{}...E.$+.k..M.M........M.M.MsM....y..p.W..Uo.q..MsAM....MsMsA...z..A..4...o.L....."...L........L............<..."............"....MsM........MsM.MMA.....MMM.........MM..........MM..........MMMs...z...."......"................................................................MMM.MM.....MMM......A....XG.'..}2..MM.....MMM......A....XG.'..}2..MMA.$...z..(A..4.....Bl$.B...B8..B./.BgH.B]/.BB..Bgz.Bq..BZ..B...B.z.B...B.L.B.p.B]..B.$.BA..B]..Bgc.BTp.MMAs$...z...."......".B./.B.p.B.u]<.M]<.o]<lp.B..]<.s]<..]<.A]<..]<..]<..]<k.]<8O]<..]<..]<g.]<8u]<.V]<..]MMA.........MsM.MMA.....MMM.........MM..........MM..........MMMs...$.4...4."......................................................................MMM.MM.....MMM.....r2.r..Cg...z..'.M

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.VideoArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):159436
                                                                  Entropy (8bit):3.156940171595267
                                                                  Encrypted:false
                                                                  SSDEEP:768:HHKhY1WtSIWigY1WKTI0ygY1WKGIstnK+WIuxjg1WKrWIvxi1WKVIBkLLFxcIBWi:nX
                                                                  MD5:5D3D562F203EFD5BE350640BF05B9E93
                                                                  SHA1:F48CF4B0B36728E9794AA901FAD9B1B676076485
                                                                  SHA-256:7DBBF58C567CB8CCDCEAAB9E4BF72E1D1A756A003D00C66578840EDD7469ADD7
                                                                  SHA-512:CC443432F48D003020ABD63F535DDBD1B958F476988575E09DFC39C1A79A679C7F6533D3D25D2FD7C4E3C0161BB788AAEB80E7951D0DA4FB60EA0E62C99A716E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....Ln..NPMS....B...NPNE.....NPE3.....g...{.........p.......G.~.....P/1...k...........{..............X.O5/<.p./........{....{.....{...................D.............{...........{..........p......dw0.TpT-..d.....{..............p.....og..O./...y.y.#.................................A.....3...g...........|...'..........0.......'...................{...;....................{...........{...........{...........0........................................................................................0...............9..~.....5..H..0...............9..~.....5..H.....................................x................D.......D..........F....{...............4>.......M.............................................................................B...B...B...B...B................{........................{...........{...........{...........0........................................................................................0...............=Z..I.W.O.u9..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):42323
                                                                  Entropy (8bit):4.010538738417268
                                                                  Encrypted:false
                                                                  SSDEEP:768:ZRCCQblzXDB5vzU5CYWps3Qp8hRgQ/3QgCqoRQQ3MZFFFh/Cg81uQ4/AAgcOg0xl:zCCQblzXDB5vzU5CYWps3Qp8hRgQ/3QD
                                                                  MD5:DA9DD0BD55B37E258ECC10D10FE96E9E
                                                                  SHA1:7B385238D4CBF9E3F1F5BEB5858E9F7B2B347BD7
                                                                  SHA-256:C560C1FBD2F41E58F03834879C0058E31835DB6AE7CAF774B40477BEE3A499A4
                                                                  SHA-512:208E6BC230A4F7C59539E38BF819545BD632E83E7733FFFF96C75FF05221CF2398604CE30D47744053774E4B7FB16C60A6ADC63631757B51738A3CADC4933BF6
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.......NPMS....B...NPNE.....NPE3.....S71t.........2..*...Z.........*L...=..*.1.....*..*........*[*;Z......^=6...=)....:*[tt....UZ..*[W;........*[.....Wq...3...*......q.*[W;........*[{*........W.W.Z......^5$1.a+....pW*W*........W*W;W.W.Z........S~o..\.,.3W.W.....W.W.....*F.....F............Y...S.F...<.......F.............................*.F.......W.W*........W.W;WW......WWW;........WW.;........WW*;........WWW....j.....<t.....<.................................................................WWWtWW......WWW;Z...r...s.{...x...WW......WWW;Z...r...s.{...x...WW.*....jF...<<.jq.&.....F.p.F..kF......u...8F...F.....O.F..u..[...T.F..kF.OZF...F...F..F.p.F...F...F...FWW......j.....<t.....<..p.F...F...F.K.F.....hkF.....Z.F.h8F..MF.......F.p....F.....}w...8F......,F.o.F....WW.*........W.W;WW......WWW;........WW.;........WW*;........WWW....P..q...P.......................................................................WWWtWW......WWW;Z........[a..j^(..W

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.edit2dArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):78400
                                                                  Entropy (8bit):3.8537385154667043
                                                                  Encrypted:false
                                                                  SSDEEP:768:f74StGmBB+9hZDY1JG+00nDfgJCjx7yDP/LY/13EDWMdFH9qodl6NZlkSt1ryGT0:D4StGmBBgDY1JG+I/8RAWKsS
                                                                  MD5:B7AB2AF08B89D4862FCF92B393432CE1
                                                                  SHA1:AFB0A972A367726D2B8DB844022BF1E513176134
                                                                  SHA-256:52134DEB988AFC0E8A41767A9113A4372D1B64DF5B5D472C727AB7A7E5F719AF
                                                                  SHA-512:4DA25DB5885EDDEAD83D78BEF4C307650732318E6B5047FD1844D80F9A8C501B8BE08FBB4ABD898F26A84A0BD4C0B202C0E5886F7FBB2DC2E5904BC95BC4E0EC
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....1..NPMS....B...NPNE.....NPE3.....4r.g....J......L.LLLP...M.....v.hPVJ.EK..L.{......L..........&.TP....y}.*p..X*...i...&gg........&.T.........&........%..W.....%/|...&.T.........&u............P.....~.{..J.@b.y..............T....P...b.*../.}......................../{G/%.G.%.... ...|..... .4.......%. .......3.........$...%...../.............%...............T...z........T..........{T...........T............$....G/%.G.%u|./.....................................................................g..$z........TP.......#>.u^.}..8....$z........TP.......#>.u^.}..8.........../..G/%.G.%.Yxx.YxP.Yx..Yx..Yx..Yx7nYx..Yx.CYx..Yx..Yx.Yx..Yx.nYx..Yx..Yx7.Yx..Yx`.Yx..Yx..Yx`.Y.........G/%.G.%u|./..b`^.b...b`..b..b.!.b..Yx...b.!.b...b...b..b..b.^.bP!.b.F.b...b&..b...bx..b.8.b.................T...z........T..........{T...........T............$....G/%./.G|.$.......................................................................g..$z.......$z.......r{............

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\curate\gui.editSprite.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):161419
                                                                  Entropy (8bit):3.890163118011974
                                                                  Encrypted:false
                                                                  SSDEEP:768:ra7ng9LLkLeSf+b0xP6xrxRfdzWREHQ//PVY5GuUHvte24Bpy4D8:rajg9LLkNGb0xP6xrbsREEHux3D8
                                                                  MD5:C9F25ED96548C95A40CEA193920B26B6
                                                                  SHA1:BF4B3E7FC5BA11AA0BADB0B2D45AA172F154698C
                                                                  SHA-256:1BB679256EA19250EF50027F04E68EA3FA9C6CC65257DA61A9CA6F9736FD8F86
                                                                  SHA-512:9DAB01F2F0001EB16B3C629D134F1AE4B9F3B6095576B4CB51DE7F8060B38D957E9D3378FBAD4D4481F36E317D4394AA1A23D724E7A9B881DC27EF8B6192C734
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....v..NPMS....B...NPNE.....NPE3........P..........<.........y....1..W..l76...........a........_............c<-..1..r.._PP.....L..._4.........._S.\...4.$1..r.1..1r$m(..._4.........._{.......4S4<....}...0..4...I<...4.4.......4.4.4S4<....$.....S.P......4Si4.....4S4Si...m.@m$P..m$1.}...(........1.!.$....R......U.....$.1.R.m.r.....r.$.4S4.......4S4.44i......444.......44..........44........444S....!..m$1.m.@(...1................................................................444P44.......44.......44..........4S4.44i......444.........44..........44..........444S....1@m$P..m$1{(.m...............................................................444P44.......444.....7i".Zd.{&.z..t.44.......444.....7i".Zd.{&.z..t.44i.....m.1@m$P..m$1.....................................................................................44iS..1@m$P..m$1{(.m...................................................................................44i.......4S4.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\customSave.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):29591
                                                                  Entropy (8bit):4.634901128063552
                                                                  Encrypted:false
                                                                  SSDEEP:384:QIJGGNouDbL/f9UNCtcxTDJ61Q+wM8eWQQFK:QIJGaoyvNOCCTD2wM81Y
                                                                  MD5:9352261E4376988C0FFE744582A2766E
                                                                  SHA1:6649F1259F8E1F3D928A897475EE954DFD2895DB
                                                                  SHA-256:FD5E44E8A65E442AA6A62DB7B677DDA06573DDC6A665B03ABD90FF87C5C89542
                                                                  SHA-512:103FEB2C761857FBEB6CB63B7BB9BDC96C4C207FD7EEBF72E3A964FAD40A4AB25E3BBAB487755C2BFCF39A0D2C66081CD487B8D48D529BB35EBE1328D398B8BF
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....s..NPMS....B...NPNE.....NPE3.....-6...ttt.ttt.L.......ttt6.....d.z.#N..v...?.ttt...a..ttt.ttt...7.ttt;....1.....t.......ttt-.tt..d7.ttttttt..|.tttd.m..Y.....m..t..d7.ttttttt..&..tttttttd|d..ttt...1[l.......{:d.d..ttt.tttd.d7d|d..ttt...n.x.........d|.d.ttttd|d|.ttt.&.m.\.H.t.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.].i.]d|d..ttt.tttd|d7dd...ttttddd7.ttt.tttdd?7.tttttttdd.7.ttt.tttddd|.tttH.m.\.H.....tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttddd.dd...ttttdd...ttttdd6?.tttttttd....ttt=tttd.dAd.d..tttQ4...3n....I...d...ttttddd|.ttt.&.m.....t?tjt.t.t.t.t.t.t-t.t.tutmt.t.t.tHt@t.t.tAt.t.t.tmt.tHt.t.t.t.t.t.t.tmd.d..ttt.tttd.d..ttt..9TD^....[J.6I./...|..&.zu=....d..dd|d..ttt.tttd|d7dd...ttttddd7.tttttttdd?7.ttt.tttdd.7.tttttttddd|.tttv.mm.\...m..tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttddd.dd...ttt.ddd7.ttt..V..&.J....i!d|d7dd...ttttddd7.ttt.tttdd?7.ttt.tttdd.7.ttt.tttddd|.ttt..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\didacticPanels.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):166576
                                                                  Entropy (8bit):4.260099719390508
                                                                  Encrypted:false
                                                                  SSDEEP:1536:xQd2KNcYXQgTvHrBxZEOyRkb3Z8+sstBFLiwAOq2pCeAHMLyl7YWqKq+fPEP7PEn:jJNOOr0zCJ3obaaYiW0G
                                                                  MD5:142EB76EBEB0804F0DB410C0D80EFF5F
                                                                  SHA1:3EE2BCED1802C92ADF2745969E79FB2D81049664
                                                                  SHA-256:C9FEE38F53F09F33889C6D77262002F5669EC9969F780248CC7821C75142E160
                                                                  SHA-512:36383EF005F08CEA1F201A5E46733C5DEFE6D5088D45D52262E84D457C26884E1C095468ABA3239EB4EAA98E1073C47ECFB297D0513900DEF1E248D3B3BB6209
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....0...NPMS....B...NPNE.....NPE3.........#.......Yo.N.NNN.....T.R....Y.p.\$.N..]...].N..#...]....O.......e..z....z$..>.O..#...%..O..#........O.Y........`y...`...PR..O..#........OF.#...............Y.-.o#...+..d....#...]...............F.c}..'Y...y:L.../.]......../...P.P...P./....b...R.`...n....b...n.....?.m.....m.d.`......P..m....`........#............./.]........#...........#...........#...........d....`.Y../....b........................................................................d.]...]........./\..KqF...%...l..d.]...]........./\..KqF...%...l../......P...P./....b..O..O....|..........=......Dh../........X..)....-...T......)....>...@..f......)..../....`...`Y../....b....xK...{......D."..G..)....}..O~...........X...........#".D....h...q............/.#............./.]........#...].......#...j.......#...j.......d....`................................................................................d.]......d.]........#......:....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\elevation\temp.css

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):307
                                                                  Entropy (8bit):4.775387448119641
                                                                  Encrypted:false
                                                                  SSDEEP:6:K5ucKVpofGmmxof1MC8XyqXgyjgG0fuC2mny5PEzmxoRKCmxn:0QVGfGvx61M6qNjgxZbny5Pvxzxn
                                                                  MD5:07B303071AB83DA2FB8D340C3F0CCC6A
                                                                  SHA1:CBCD58E317B9B97AF5AFCE760E0758037211D4D1
                                                                  SHA-256:389A78B7E4E007683F00C31B586D28E7EC183F4705F05D98DBA9E5B7817963EC
                                                                  SHA-512:E0A2031CEA66C8B0F4AA2E750711EEC943F8F41B0ACDFD2AA7D38CB9439E732334E7A6BB41180E2DFD8AF5ED3EDFE2852F7C4ADF67903F2680FB93E4EE3C3D19
                                                                  Malicious:false
                                                                  Preview:h1 {font-size:20px;}..h2 {font-size:15px;}....#header {...text-align:center;..}....#wallindex {...width: 700px;...margin-left: auto;...margin-right: auto;..}....#indextd {...width: 350px;...text-align:left;...vertical-align: top;..}....#wallinfo {...text-align:center;..}....#footer{...text-align:center;..}

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\elevation\temp12.bmp

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 636 x 576 x 32, resolution 2834 x 2834 px/m, cbSize 1465400, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):1465400
                                                                  Entropy (8bit):2.586064418864476
                                                                  Encrypted:false
                                                                  SSDEEP:1536:0bQr/302ErFojZCtA11pWxaYFnLNf0C1NQeK2IZqiu1ZNvEmZDCbL+NViQFf5D3+:0bQbkkCtu0aYPtuGvEOG3+7FBO
                                                                  MD5:4EA6A98EC1B4BEAE04658145C75E6237
                                                                  SHA1:5D1B41BBB113393CE4B54B9B05993465AE388CEF
                                                                  SHA-256:AC9A57F7876A57BB05FA61A6840050A66229C018C7CE2F192286EB5C3BD8F8CB
                                                                  SHA-512:2E5F558591DD342E9D3BBCD4477B58B5F6860ABEB89B0A84F5ACF531FA626C6AC2845846F50766668E6FCD9F35CE82A7C68F82D31B1F64DCA65506FA61598DCC
                                                                  Malicious:false
                                                                  Preview:BM8\......6...(...|...@..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\elevation\temp45.bmp

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 636 x 576 x 32, resolution 2834 x 2834 px/m, cbSize 1465400, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):1465400
                                                                  Entropy (8bit):1.2396637632146212
                                                                  Encrypted:false
                                                                  SSDEEP:1536:PzRI78lET6zePdzESCcEeiaxvAVi+VdoX3VOJMqNs:7RI7UEmQdAKiaxAVi+QX3V3
                                                                  MD5:6BC392267F2F27DCA4B6E5CE2AE0F82B
                                                                  SHA1:60DA3E4A7310B346C18C7E869C8F6ADFDBE44AF2
                                                                  SHA-256:6626A5372D9EC692FA65083344CB9C6060D89C486E912D488F85AC8FB74F700D
                                                                  SHA-512:DCD3A6A1D1EE011D9FC3638AC6459B072152DFDC4EEBD97E806592CDB5B8D8CC63F2A43E92FFC6F0F4C6F0E581A765DE73157841A9CDFEF2E7376A5A70B62268
                                                                  Malicious:false
                                                                  Preview:BM8\......6...(...|...@..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\README.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3609
                                                                  Entropy (8bit):5.150096835061823
                                                                  Encrypted:false
                                                                  SSDEEP:48:6bryriECobFK+8rvsbGV2OT2nu4Rn5habkGp4CS+kqL9+ZpDLQMAohhPFZnhiktv:6XrsFK+8rvd4RnSpm+149LQJevFtjA8Z
                                                                  MD5:5008A44E96742265263FD03EF7585C92
                                                                  SHA1:C5BA97F07E0CAEC21ACC4684474A736EA2FE671D
                                                                  SHA-256:588186391674190FFFC5203B734E517978DF65178196E6040957D280956855A4
                                                                  SHA-512:2D9640862BFF59F85D292F307847593D3A770AC1FCAB25DC79604DD8BD8AE0ABE2B99BA20CE890DE6F32EB3EB022B8BB97B657F81B9E7878A5BF1DB3E6B4A39C
                                                                  Malicious:false
                                                                  Preview:This is a FFmpeg Win32 static build by Kyle Schwarz.....Zeranoe's FFmpeg Builds Home Page: <http://ffmpeg.zeranoe.com/builds/>....This build was compiled on: Mar 31 2014, at: 22:01:44....FFmpeg version: 2014-04-01 git-5b03caf.. libavutil 52. 70.100 / 52. 70.100.. libavcodec 55. 55.107 / 55. 55.107.. libavformat 55. 36.100 / 55. 36.100.. libavdevice 55. 11.100 / 55. 11.100.. libavfilter 4. 3.100 / 4. 3.100.. libswscale 2. 5.102 / 2. 5.102.. libswresample 0. 18.100 / 0. 18.100.. libpostproc 52. 3.100 / 52. 3.100....This FFmpeg build was configured with:.. --enable-gpl.. --enable-version3.. --disable-w32threads.. --enable-avisynth.. --enable-bzlib.. --enable-fontconfig.. --enable-frei0r.. --enable-gnutls.. --enable-iconv.. --enable-libass.. --enable-libbluray.. --enable-libcaca.. --enable-libfreetype.. --enable-libgsm.. --enable-libilbc.. --enable-libmodplug.. --enable-libmp3lame.. --enable-libopencore-amrnb.. --enable-libop

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\bin\ffmpeg.exe

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):27247104
                                                                  Entropy (8bit):6.505208488748259
                                                                  Encrypted:false
                                                                  SSDEEP:393216:GO9fvXDl6+0KklkFlnfy1LjVz4+PVD49Oa4EkGpe1DJ2:GO9HSKklAKa4Ek
                                                                  MD5:8C26893FEE65A907A0501654DE20E888
                                                                  SHA1:1DA45E13A9CBF2D755E9021A36FC678E331CF798
                                                                  SHA-256:8E514C6444546FCAB606B7B85A2C59F5F12DFDBE87D3A05C0B1B11C857830DD4
                                                                  SHA-512:4D8B0B449B81070512800E09DE024F77C7D91E91444D4EA0826AFF4273A0B11E55F4341FE65A49ECA05F5934BA86957CB23B6C08D989495177FF78EB9672FDFE
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^*..................4;..................P;...@...........................*..........@... ..............................P*.86............................................................*......................X*..............................text...@3;......4;.................`.p`.data...4....P;......8;.............@.`..rdata...._..@?..._...?.............@..@.rodata..y...@...z..................@.`@.bss....(.............................`..idata..86...P*..8..................@.0..CRT....4.....*.....................@.0..tls.... .....*.....................@.0.................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\blank.jpg

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2014:10:01 12:10:55], baseline, precision 8, 16x16, components 3
                                                                  Category:dropped
                                                                  Size (bytes):10601
                                                                  Entropy (8bit):5.892146904410506
                                                                  Encrypted:false
                                                                  SSDEEP:96:PO54iL7ZPy4lyJYPBsPIpL7CknJWptA5ca1A2HR/m+wHr6N26MT0D5MdtbZPAVwM:PYDhPy4l/a0aknGxYNMtKwKtd
                                                                  MD5:CCDC2B2947DE4989C359A3EAF6C289F1
                                                                  SHA1:53DA4F4938D285CD173E203348DB45733F3BD40A
                                                                  SHA-256:D2EFCA5944B78D0A3C41DD4BEEB530F9FE11E3F29D5889C22F1C43F5DA404237
                                                                  SHA-512:DD26B51B5454B648335729C782A11FF25355A308749F269270FD661BA9234357D4F3257E7E0E8B95315480290455658761EF4F6715D3090BE9D5D057D86E942F
                                                                  Malicious:false
                                                                  Preview:.....LExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2014:10:01 12:10:55..................................................................................&.(.........................................H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..I%?.....>Photoshop 3.0.8BIM.%......................8BIM.:....................printOutput........ClrSenum....ClrS....RGBC....Inteenum....Inte....Clrm....MpBlb

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\bzip2.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1943
                                                                  Entropy (8bit):5.224965598375398
                                                                  Encrypted:false
                                                                  SSDEEP:48:koO3xOV/rYJP6+HzumHPmic432sVosr32s3p/tP1OtwHf:klEV/rYJiUumO03rr3zoK/
                                                                  MD5:40A141FC0A1D13C9191E10F6218F7B14
                                                                  SHA1:63527249C4A81671D7F558EA588BD32FC0750B2B
                                                                  SHA-256:ACE879711AAD0985482856336C66EB972C59B2B3268B4BA7CCA1FA162C52E931
                                                                  SHA-512:0A779DF138DC414BEADC9668D5DC1C8806BC2D8CF0816995BCB9F1469EEC636786B73416ACEC4C8E01B4B3AEA77098930F03B3773C6CE306B6B0CBBFFA02BB59
                                                                  Malicious:false
                                                                  Preview:..--------------------------------------------------------------------------....This program, "bzip2", the associated library "libbzip2", and all..documentation, are copyright (C) 1996-2010 Julian R Seward. All..rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....1. Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer.....2. The origin of this software must not be misrepresented; you must .. not claim that you wrote the original software. If you use this .. software in a product, an acknowledgment in the product .. documentation would be appreciated but is not required.....3. Altered source versions must be plainly marked as such, and must.. not be misrepresented as being the original software.....4. The name of the author may not be used to endorse or promote .. products derived from t

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\fontconfig.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1309
                                                                  Entropy (8bit):5.2698440099865556
                                                                  Encrypted:false
                                                                  SSDEEP:24:NgqO1FeWHiZ7q6knmq6ImgcaGjXz7VDyYP/UA51ZwceK:NzozstFtCcaGzVDyYPz51+ceK
                                                                  MD5:FBEF155089E006511CE6EF1D9C61E2B3
                                                                  SHA1:5163526E694E3C433B478DDBCA39F60F5B3A4901
                                                                  SHA-256:A0BA4EF0D82559527E2C5DA09B8B7705EB04EDFDE07AE6B3D65E536699D1F914
                                                                  SHA-512:F9EFC8298907F1934A4E96A150632D8BEBF726299192AF5D8E4670383924609A9B1BCAF4BB627A8835D1540106307690BFFC91E7998D9A83FBFDE80C418A8A8A
                                                                  Malicious:false
                                                                  Preview:fontconfig/COPYING....Copyright . 2000,2001,2002,2003,2004,2006,2007 Keith Packard..Copyright . 2005 Patrick Lam..Copyright . 2009 Roozbeh Pournader..Copyright . 2008,2009 Red Hat, Inc...Copyright . 2008 Danilo .egan......Permission to use, copy, modify, distribute, and sell this software and its..documentation for any purpose is hereby granted without fee, provided that..the above copyright notice appear in all copies and that both that..copyright notice and this permission notice appear in supporting..documentation, and that the name of the author(s) not be used in..advertising or publicity pertaining to distribution of the software without..specific, written prior permission. The authors make no..representations about the suitability of this software for any purpose. It..is provided "as is" without express or implied warranty.....THE AUTHOR(S) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,..INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO..EVENT

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\freetype.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ISO-8859 text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6910
                                                                  Entropy (8bit):4.660400887829068
                                                                  Encrypted:false
                                                                  SSDEEP:96:xDqmTIf7UaKlpjKbpfeaEr1dPB1BSb35v+GUCELqrc6DOh7ZiaHGgwHAWCn:9q3fNoYejnPs35vExAc6DCiaF
                                                                  MD5:03F3ABBDE29514248BD72A1724BDF9B4
                                                                  SHA1:9848EB36A6F028ABB46BA30F7F6336B1E7062B28
                                                                  SHA-256:93DB264E083FA85B7494B3DD47A214A4043B37170D7079CD4B16EB05842F5EAC
                                                                  SHA-512:0749EAF30D6357987EC0A0BBBA8899C265501718C35CA52E721997D0D5A516108AABB01B7EA0DF1E33D17E4FE4DE4E81957C63055B7F6C6AE8D4B911F346F1BC
                                                                  Malicious:false
                                                                  Preview: The FreeType Project LICENSE.. ----------------------------.... 2006-Jan-27.... Copyright 1996-2002, 2006 by.. David Turner, Robert Wilhelm, and Werner Lemberg........Introduction..============.... The FreeType Project is distributed in several archive packages;.. some of them may contain, in addition to the FreeType font engine,.. various tools and contributions which rely on, or relate to, the.. FreeType Project..... This license applies to all files found in such packages, and.. which do not fall under their own explicit license. The license.. affects thus the FreeType font engine, the test programs,.. documentation and makefiles, at the very least..... This license was inspired by the BSD, Artistic, and IJG.. (Independent JPEG Group) licenses, which all encourage inclusion.. and use of free software in commercial and freeware products.. a

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\frei0r.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):18342
                                                                  Entropy (8bit):4.734348281559762
                                                                  Encrypted:false
                                                                  SSDEEP:384:tq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sD12:tzuVLiY+rTZo0sD12
                                                                  MD5:EBC88A743946FBB00F8C06EB9DA3861C
                                                                  SHA1:92F6C2CFC12C6A13CBB6B1DBEA92B1DF2230AB4E
                                                                  SHA-256:E55F40E907647A4AE74B6F9CF10DD72AC9996C5D2B227D8E226E7154A85B531D
                                                                  SHA-512:22523996555F42C4C7EBA730BC45A5EB06146011DE071515AD7261C2FDA7F79B5BF60E66B3C39AF5947C07E37713F068E2A4CDE28C75609F4B498C41FA249049
                                                                  Malicious:false
                                                                  Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\gnutls.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):35821
                                                                  Entropy (8bit):4.622128610438848
                                                                  Encrypted:false
                                                                  SSDEEP:768:A7Y+tNdSz3ZlqXOWoInuzx3Y8N3WiYD0v:AVtNIq1uzZY1C
                                                                  MD5:3C34AFDC3ADF82D2448F12715A255122
                                                                  SHA1:7713A1753CE88F2C7E6B054ECC8E4C786DF76300
                                                                  SHA-256:0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B
                                                                  SHA-512:4937848B94F5B50EA16C51F9E98FDCD3953ACA63D63CA3BB05D8A62C107E382B71C496838D130AE504A52032398630B957ACAEA6C48032081A6366D27CBA5EA9
                                                                  Malicious:false
                                                                  Preview: GNU GENERAL PUBLIC LICENSE.. Version 3, 29 June 2007.... Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed..... Preamble.... The GNU General Public License is a free, copyleft license for..software and other kinds of works..... The licenses for most software and other practical works are designed..to take away your freedom to share and change the works. By contrast,..the GNU General Public License is intended to guarantee your freedom to..share and change all versions of a program--to make sure it remains free..software for all its users. We, the Free Software Foundation, use the..GNU General Public License for most of our software; it applies also to..any other work released this way by its authors. You can apply it to..your programs, too..... When we speak of free software

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\lame.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25765
                                                                  Entropy (8bit):4.669439632186901
                                                                  Encrypted:false
                                                                  SSDEEP:384:xGL2PFB6sr5CtyyHekX6sT6AATeINgKP+THQ/13gcmmItyOQ3M9YeWEeHBYoA:xGyzd9YekOTeDTEqFKTeleHBYoA
                                                                  MD5:77E459C91D62E83039D5FD9416792197
                                                                  SHA1:9F6D4D6011B32E85239A9E305CCB971254197DB8
                                                                  SHA-256:782A593869B3589BF63103745E10526B239FC5214FE444CFAF86DFD9BD805277
                                                                  SHA-512:CB938D2D699DF7BD9F49C9F11970617825CFFF4D431AF13DA68CF847D804D915D713BF5423BE58CA8FBF9B10A0DF88F3374ACA292BF17A63344CFED22E136536
                                                                  Malicious:false
                                                                  Preview:.. GNU LIBRARY GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1991 Free Software Foundation, Inc... .. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed.....[This is the first released version of the library GPL. It is.. numbered 2 because it goes with version 2 of the ordinary GPL.]....... Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..Licenses are intended to guarantee your freedom to share and change..free software--to make sure the software is free for all its users..... This license, the Library General Public License, applies to some..specially designated Free Software Foundation software, and to any..other libraries whose authors decide to use it. You can use it for..your libraries, too..... When we speak of free sof

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libass.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):708
                                                                  Entropy (8bit):4.967782641866196
                                                                  Encrypted:false
                                                                  SSDEEP:12:US4dCPXHbb7qgmq6c9KsA8eXsV2UXA3+lqPRz2AvB8T3kcy2CFK2PF3ef:nICPFmq6c9izc1cxPR+A3jF3ef
                                                                  MD5:1C4AB6A61127F6078839C330CBCD1444
                                                                  SHA1:AC3422D895F8D878D90E030A31295FB3F054B897
                                                                  SHA-256:B8FB158A12A0FA840A17F90C42621E86EE31D70E6AFB4DBFFDCDA42A538E0E40
                                                                  SHA-512:DB5F933A21365916051477960D46687C5FDB5D86025F6800411569F6944C5307CFAF5F5CC598621C23B953561AC5672243CA2F6C3485218D20A2273CA87F12C8
                                                                  Malicious:false
                                                                  Preview:Permission to use, copy, modify, and/or distribute this software for any..purpose with or without fee is hereby granted, provided that the above..copyright notice and this permission notice appear in all copies.....THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES..WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF..MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR..ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES..WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN..ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF..OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libbluray.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):24936
                                                                  Entropy (8bit):4.637309254393213
                                                                  Encrypted:false
                                                                  SSDEEP:384:4jJBIk+x/vIUk0Z8t6sT6AATeANgKP+lHQ41fgcmmIxyOQMM9Yf0EJO:41BJs/80TeLlLkF/TfjJO
                                                                  MD5:50B45E81C7B391E90F0C3BAD986AB1EF
                                                                  SHA1:043B5106F36EB5D6307646D6CFB8430945F59078
                                                                  SHA-256:575888BE9AC31801886BABCA6456E1BEB346FA4FB3DD76F52111F8048E38D58A
                                                                  SHA-512:84C5173FD65C41E04CF17A1B2FFD8D7FAF0C5579EB6F4BC3A68134C886430CB567ECD6568D6599555FE94089F21491E1E383999A45988F210364AF473710BA84
                                                                  Malicious:false
                                                                  Preview: GNU LESSER GENERAL PUBLIC LICENSE.. Version 2.1, February 1999.... Copyright (C) 1991, 1999 Free Software Foundation, Inc... 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed.....[This is the first released version of the Lesser GPL. It also counts.. as the successor of the GNU Library Public License, version 2, hence.. the version number 2.1.].... Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..Licenses are intended to guarantee your freedom to share and change..free software--to make sure the software is free for all its users..... This license, the Lesser General Public License, applies to some..specially designated software packages--typically libraries--of the..Free Software Foundation

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libcaca.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):522
                                                                  Entropy (8bit):4.9148464376631535
                                                                  Encrypted:false
                                                                  SSDEEP:12:/E0lObYfHukjVj6E/joTGs2Ow9bVE0lkY7L+k7L2n:s0kcljl/joTt2OY60VDKn
                                                                  MD5:20034048249E0130ECD0CEA051B626F9
                                                                  SHA1:EC851B133374988A7456684F2F2852FE85249F60
                                                                  SHA-256:4E0F7D2680019520514A02BAA0A0A683DE1BAF5286A7B7F11D3CDEF2362B43CC
                                                                  SHA-512:8BE4DCFE481CB00184D5F068E7E7564AF91D500A823CC0E22ED502028B68DD34949044B1F6AE10245FA43F03204DE1831C74860136BDB6337E7582EE72261B14
                                                                  Malicious:false
                                                                  Preview: DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE.. Version 2, December 2004.... Copyright (C) 2004 Sam Hocevar.. 14 rue de Plaisance, 75014 Paris, France.. Everyone is permitted to copy and distribute verbatim or modified.. copies of this license document, and changing it is allowed as long.. as the name is changed..... DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE.. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION.... 0. You just DO WHAT THE FUCK YOU WANT TO.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libgsm.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1485
                                                                  Entropy (8bit):4.628141105706364
                                                                  Encrypted:false
                                                                  SSDEEP:24:YFEfNaeZMxIHNUeajTuflzoW1qtRMuSuAGYdZ0P0uvuEbPxLzNoez2QU9QC+Y:Yef4evmeajTW1xuAs0uvu2xziez2QOQQ
                                                                  MD5:4D256D1D6060103E6D9B5D8273D60F43
                                                                  SHA1:7FD10FD8960F361008E86308E3C93FEE4146173F
                                                                  SHA-256:4ADB29544F3ED1ECFDC52E1F0714C4B3E0064D70F33AFA315ADC150C0EEFE497
                                                                  SHA-512:83B211E7552E4C5350C84E1AA0062A9802306E73FC37FEE48D747BFA1FF3AFE1948B8E96DF8066534A8B6F4FBF9583B22EB918A8DCE63892F0CF515466509CB6
                                                                  Malicious:false
                                                                  Preview:Copyright 1992, 1993, 1994 by Jutta Degener and Carsten Bormann,..Technische Universitaet Berlin....Any use of this software is permitted provided that this notice is not..removed and that neither the authors nor the Technische Universitaet Berlin..are deemed to have made any representations as to the suitability of this..software for any purpose nor are held responsible for any defects of..this software. THERE IS ABSOLUTELY NO WARRANTY FOR THIS SOFTWARE.....As a matter of courtesy, the authors request to be informed about uses..this software has found, about bugs in this software, and about any..improvements that may be of general interest.....Berlin, 28.11.1994..Jutta Degener..Carsten Bormann.... oOo....Since the original terms of 15 years ago maybe do not make our..intentions completely clear given today's refined usage of the legal..terms, we append this additional permission:.... Permission to use, copy, modify, and distribute this software..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libiconv.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):35821
                                                                  Entropy (8bit):4.622128610438848
                                                                  Encrypted:false
                                                                  SSDEEP:768:A7Y+tNdSz3ZlqXOWoInuzx3Y8N3WiYD0v:AVtNIq1uzZY1C
                                                                  MD5:3C34AFDC3ADF82D2448F12715A255122
                                                                  SHA1:7713A1753CE88F2C7E6B054ECC8E4C786DF76300
                                                                  SHA-256:0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B
                                                                  SHA-512:4937848B94F5B50EA16C51F9E98FDCD3953ACA63D63CA3BB05D8A62C107E382B71C496838D130AE504A52032398630B957ACAEA6C48032081A6366D27CBA5EA9
                                                                  Malicious:false
                                                                  Preview: GNU GENERAL PUBLIC LICENSE.. Version 3, 29 June 2007.... Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed..... Preamble.... The GNU General Public License is a free, copyleft license for..software and other kinds of works..... The licenses for most software and other practical works are designed..to take away your freedom to share and change the works. By contrast,..the GNU General Public License is intended to guarantee your freedom to..share and change all versions of a program--to make sure it remains free..software for all its users. We, the Free Software Foundation, use the..GNU General Public License for most of our software; it applies also to..any other work released this way by its authors. You can apply it to..your programs, too..... When we speak of free software

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libilbc.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1540
                                                                  Entropy (8bit):5.131206716476805
                                                                  Encrypted:false
                                                                  SSDEEP:48:wOVprYJfprYJkSdooFVP47439G3wEWmJC3t2zTHy:JVprYJfprYJkSdojM3M3wQigzTS
                                                                  MD5:966DF8A914916A2F86D9E8212FAE0ABE
                                                                  SHA1:D98D065FA519DAB431A65739B79D56500792FF62
                                                                  SHA-256:5D57F76601B87E2069605CCEF52E5CAAA5EEB7A2F76E34AA65A0102637D28376
                                                                  SHA-512:0DD688C8DFABF02F9FD7E22C9AB3D839E500AFEB5AF278715BF2614B2759887D4867D77B2F384830E3CD38C3BA89CEC1C3C6F9B216F090784F0C186C1F558BD6
                                                                  Malicious:false
                                                                  Preview:Copyright (c) 2011, The WebRTC project authors. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are..met:.... * Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in.. the documentation and/or other materials provided with the.. distribution..... * Neither the name of Google nor the names of its contributors may.. be used to endorse or promote products derived from this software.. without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.."AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT..LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR..A PARTICULAR PURPOSE

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libmodplug.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):59
                                                                  Entropy (8bit):4.386631820438273
                                                                  Encrypted:false
                                                                  SSDEEP:3:XzRzXjJQTQLKfrNAikMgv:9713+pkMgv
                                                                  MD5:BC7BA262134E189F6AC051C48B1D7A89
                                                                  SHA1:F8E8911FD4DFE93F2CD1A814DEE4D0A63511B974
                                                                  SHA-256:B64D05522976D26E870BFBBF701E5A89CC5E2AB8FBDE677E24F07DDAF0DAC7C1
                                                                  SHA-512:FFF572E18DFF1E1CD17DBE60923F1ECF75EFD275B4A7F5E0BEA589227B294DF1977C35382523496225D5422490E7488CEDCA394E3D374BFF84DD4B71173C7984
                                                                  Malicious:false
                                                                  Preview:ModPlug-XMMS and libmodplug are now in the public domain...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libtheora.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1498
                                                                  Entropy (8bit):5.190353703747199
                                                                  Encrypted:false
                                                                  SSDEEP:24:tPUnzxbO3rYFT6JxrYFTMoYwfvBEpZ9Rr43z5EzkCn6WROm3zMyxWTfyJC3tIpzu:tIO3rYJGrYJewfwDRr439Qz3wEWmJC3j
                                                                  MD5:3B188A888C13B906D63AAEBDF045A62E
                                                                  SHA1:1E87F89CE4FE0A1223837C53E8705CC89B7DADFB
                                                                  SHA-256:0307BBD6F47A0B7F0F477019B8CBDD40CDEC72304E75C988E3D0C36EBC7975F1
                                                                  SHA-512:2D7ACE9220C323A56874D78331CF7F04FBD7B0E2CC6F3EBF4AA0D397F626A9E8B29CC83CEFB7D9FCA6582E077B2307DF8F544547DD9A9A85AB90DCCF18199794
                                                                  Malicious:false
                                                                  Preview:Copyright (C) 2002-2009 Xiph.org Foundation....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....- Redistributions of source code must retain the above copyright..notice, this list of conditions and the following disclaimer.....- Redistributions in binary form must reproduce the above copyright..notice, this list of conditions and the following disclaimer in the..documentation and/or other materials provided with the distribution.....- Neither the name of the Xiph.org Foundation nor the names of its..contributors may be used to endorse or promote products derived from..this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS..``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT..LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR..A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libvorbis.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1498
                                                                  Entropy (8bit):5.190533433977959
                                                                  Encrypted:false
                                                                  SSDEEP:24:mPUnzxbO3rYFT6JxrYFTMoYwfvBEpZ9Rr43z5EzkCn6WROm3zMyxWTfyJC3tIpzu:mIO3rYJGrYJewfwDRr439Qz3wEWmJC3j
                                                                  MD5:42B8BAA1212611C0B81ACECB68143758
                                                                  SHA1:45177CDB4B0A4675541AF8784EF0F11A574B646D
                                                                  SHA-256:776B6F6AB87AFA263D534AD4061B6180149DE0FED90E2E18E1592992922327CE
                                                                  SHA-512:4B66868AE698A40796FEB078C98AC4E4D8BDBCDED69C4332FD5B1291DBE5DFE26873C74421AE261E6241B2810F25EF846B97955954E36395A33C75C98ACD37A7
                                                                  Malicious:false
                                                                  Preview:Copyright (c) 2002-2008 Xiph.org Foundation....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....- Redistributions of source code must retain the above copyright..notice, this list of conditions and the following disclaimer.....- Redistributions in binary form must reproduce the above copyright..notice, this list of conditions and the following disclaimer in the..documentation and/or other materials provided with the distribution.....- Neither the name of the Xiph.org Foundation nor the names of its..contributors may be used to endorse or promote products derived from..this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS..``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT..LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR..A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL T

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\libvpx.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1568
                                                                  Entropy (8bit):5.131274892152107
                                                                  Encrypted:false
                                                                  SSDEEP:48:DdOVprYJfprYJkS7vePk7439G3wEWmJC3t2zTHr:DQVprYJfprYJkS7vpM3M3wQigzTL
                                                                  MD5:FEEE05E3B507027BBD2CFD24E7F15F3D
                                                                  SHA1:30EFB2151240A8A21278586A602528A6047FA68F
                                                                  SHA-256:2CC37F6DF345042B32A0C99615D89B8EB079EF094C1EDCFA4F57BA8F77D9809E
                                                                  SHA-512:5A792D0980F37AD58450DC9C39E60AC01ABE4F2D4ED4F1359CAB43C9208D499679B87079C1435D2FABF9E4E545415C0747A13C0F21A023A28895257F15D4005D
                                                                  Malicious:false
                                                                  Preview:Copyright (c) 2010, The WebM Project authors. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are..met:.... * Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in.. the documentation and/or other materials provided with the.. distribution..... * Neither the name of Google, nor the WebM Project, nor the names.. of its contributors may be used to endorse or promote products.. derived from this software without specific prior written.. permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.."AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT..LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\opencore-amr.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):10462
                                                                  Entropy (8bit):4.676548121343821
                                                                  Encrypted:false
                                                                  SSDEEP:192:9zOWmgG5EEbGoC2Pv0FqXFR9AT5GPM8HEWn8VqgHGOJzsp+TBK9dHs:FtG5BbhC230qOd4Hh514TBK9+
                                                                  MD5:0D9EFFEF7E37A76BFB57AD064556AAEC
                                                                  SHA1:BB9371ECC725503CE93710BD723036A99E1DFB11
                                                                  SHA-256:9B82713049AF7BDA5C5EF7EDBFB1DFEFAE27816565B24D3230E1E5015293AE81
                                                                  SHA-512:2EFF9400231EF0751318D3ED0F1BEA82A7836171AF0A7CA72C8B50C5E0964BFADBE987A39A20ABDE7B08A509778907049DD3FFB1EB67FD2CC8A2826A2C164A9F
                                                                  Malicious:false
                                                                  Preview:Apache License..Version 2.0, January 2004..http://www.apache.org/licenses/....TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION....1. Definitions....."License" shall mean the terms and conditions for use, reproduction, and..distribution as defined by Sections 1 through 9 of this document....."Licensor" shall mean the copyright owner or entity authorized by the..copyright owner that is granting the License....."Legal Entity" shall mean the union of the acting entity and all other..entities that control, are controlled by, or are under common control with..that entity. For the purposes of this definition, "control" means (i) the..power, direct or indirect, to cause the direction or management of such..entity, whether by contract or otherwise, or (ii) ownership of fifty..percent (50%) or more of the outstanding shares, or (iii) beneficial..ownership of such entity....."You" (or "Your") shall mean an individual or Legal Entity exercising..permissions granted by this License.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\openjpeg.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1921
                                                                  Entropy (8bit):5.293374032724682
                                                                  Encrypted:false
                                                                  SSDEEP:48:n1zd0A4xsciUOV/rYJa/rYJk8r432sG+p32sGEtX1qD2HC:nlKXkV/rYJa/rYJkH393qb2i
                                                                  MD5:94C587C16D7B25F0B1C83DF19CF1E4E0
                                                                  SHA1:00D7CE85D426FFEF3C4CD36C283BBC25A64A867B
                                                                  SHA-256:8E18919288DF4A1E812D60FA83AAA444A5D2CC2F3AF5AFCBFC8B81B576DA866A
                                                                  SHA-512:FC73EEE49AC984C7DA62ADB1E467117127F8C80308E6B6AD2F8BB7EDD314C06D50F89B19CAE51166C01B8DAD8952023E074D18698C55B954F0B7839DEA68C5DD
                                                                  Malicious:false
                                                                  Preview:/*.. * Copyright (c) 2002-2012, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium.. * Copyright (c) 2002-2012, Professor Benoit Macq.. * Copyright (c) 2003-2012, Antonin Descampe.. * Copyright (c) 2003-2009, Francois-Olivier Devaux.. * Copyright (c) 2005, Herve Drolon, FreeImage Team.. * Copyright (c) 2002-2003, Yannick Verschueren.. * Copyright (c) 2001-2003, David Janssens.. * Copyright (c) 2011-2012, Centre National d'Etudes Spatiales (CNES), France .. * Copyright (c) 2012, CS Systemes d'Information, France.. *.. * All rights reserved... *.. * Redistribution and use in source and binary forms, with or without.. * modification, are permitted provided that the following conditions.. * are met:.. * 1. Redistributions of source code must retain the above copyright.. * notice, this list of conditions and the following disclaimer... * 2. Redistributions in binary form must reproduce the above copyright.. * notice, this list of conditions a

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\opus.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1973
                                                                  Entropy (8bit):5.225554620969233
                                                                  Encrypted:false
                                                                  SSDEEP:48:p5NO3rYJGrYJLP/8Rr439X32s+EtXQ3twHpWrDmWMbWc:g3rYJGrYJL823B3qFKJMDmlbr
                                                                  MD5:10FDD4211E4CF000764DC5D0261718F7
                                                                  SHA1:50F6B2099A734AC9EF4239ECE33738C11BF0BCCE
                                                                  SHA-256:3503C933EA0F5ED0394A099FD11F9B10D294213787A7153231C82F50F1A883ED
                                                                  SHA-512:F9F57080006015F69F7DB5F7246656DC3AED0E1AA9E6C48421504DD60FD0DFACA64700771DA6672867F6E7CB267F8523CA54A13C8F676E402444B2713BC10068
                                                                  Malicious:false
                                                                  Preview:Copyright 2001-2011 Xiph.Org, Skype Limited, Octasic,.. Jean-Marc Valin, Timothy B. Terriberry,.. CSIRO, Gregory Maxwell, Mark Borgerding,.. Erik de Castro Lopo....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....- Redistributions of source code must retain the above copyright..notice, this list of conditions and the following disclaimer.....- Redistributions in binary form must reproduce the above copyright..notice, this list of conditions and the following disclaimer in the..documentation and/or other materials provided with the distribution.....- Neither the name of Internet Society, IETF or IETF Trust, nor the ..names of specific contributors, may be used to endorse or promote..products derived from this software without specific prior written..permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS..`

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\rtmpdump.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):18326
                                                                  Entropy (8bit):4.73273449825983
                                                                  Encrypted:false
                                                                  SSDEEP:384:Thj2PmwERb6k/iAVX/dUY2ZpEGMOZ77o0UDqHZ:Th6un1iYWrTXo0UDqHZ
                                                                  MD5:3515835A89D4C99214D0AB65D433AF16
                                                                  SHA1:ADD0478984908706AAB929CAF1721999D82F3A48
                                                                  SHA-256:9F2E250993C6206FAC643824E05E5A0D7D3E0895D9E09A5CE4B12BC2610AFC11
                                                                  SHA-512:BC7C26D7AD088967FA1FD9BF7CE7C509A6565B7BD0D6DC237F0285F9C62350F6D1F1B3E3B5E7BB25E4CE4A513C2C5165D91C4458DCC161FD2571F73DE4F61211
                                                                  Malicious:false
                                                                  Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc.,.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Lesser General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Public

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\schroedinger.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25225
                                                                  Entropy (8bit):4.662873892242754
                                                                  Encrypted:false
                                                                  SSDEEP:384:xhL2PFB6sr5CtyyHekX6sT6AATeINgKP+THQ/13gcmmItyOQ3M9YeWEekBYoI:xhyzd9YekOTeDTEqFKTelekBYoI
                                                                  MD5:659DEED11B001C1768B3649A356720D9
                                                                  SHA1:5539E5A6BE962B173D430F0944DC4E921FEF8A11
                                                                  SHA-256:6426AB73418611E141089526C6827D25590C7A58662D774909A3E1E91640B1DA
                                                                  SHA-512:27931A68658102C1C89A6DE8021CD8B50C60F000F68C79695D135703B914DA3C9E633268B68C4BF20607E0DCA4AD5C0C0B7435ABE9891F3C02BD3B612C257C27
                                                                  Malicious:false
                                                                  Preview:.. GNU LIBRARY GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1991 Free Software Foundation, Inc... 675 Mass Ave, Cambridge, MA 02139, USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed.....[This is the first released version of the library GPL. It is.. numbered 2 because it goes with version 2 of the ordinary GPL.]....... Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..Licenses are intended to guarantee your freedom to share and change..free software--to make sure the software is free for all its users..... This license, the Library General Public License, applies to some..specially designated Free Software Foundation software, and to any..other libraries whose authors decide to use it. You can use it for..your libraries, too..... When we speak of free software,

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\soxr.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1118
                                                                  Entropy (8bit):4.902048792282404
                                                                  Encrypted:false
                                                                  SSDEEP:24:vO+q7PKyEOkHNCTbVfTY3sD/9l5rUK22I+oWrsO4:vI2ygHiTFD/9jrUdSR4
                                                                  MD5:5294F5ADC58662A908B9FB97BE9DA775
                                                                  SHA1:F912E7BF44B03B6E81775FB0FE268D249BAC18C5
                                                                  SHA-256:4590EB0451525C70534E3C5CD377858FF180468D80FF32A194095EB238A1F024
                                                                  SHA-512:E86558AE67755D451CAEE752D456BA96D52378F7F559F81972D3D4A5B4140A12CE7230734FAEEF06DAE7E057CF5112C8DCDD7381D0C5E1B302CB625346841A24
                                                                  Malicious:false
                                                                  Preview:SoX Resampler Library Copyright (c) 2007-13 robs@users.sourceforge.net....This library is free software; you can redistribute it and/or modify it..under the terms of the GNU Lesser General Public License as published by..the Free Software Foundation; either version 2.1 of the License, or (at..your option) any later version.....This library is distributed in the hope that it will be useful, but..WITHOUT ANY WARRANTY; without even the implied warranty of..MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser..General Public License for more details.....You should have received a copy of the GNU Lesser General Public License..along with this library; if not, write to the Free Software Foundation,..Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.......Notes....1. Re software in the `examples' directory: works that are not resampling..examples but are based on the given examples -- for example, applications using..the library -- shall not be consi

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\speex.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1809
                                                                  Entropy (8bit):5.295828158500282
                                                                  Encrypted:false
                                                                  SSDEEP:48:ZeKTSEO3rYJGrYJewfwDRr439Y32s+EtXQ3twHy:Z5ut3rYJGrYJewA23+3qFKS
                                                                  MD5:589636B99CB7B72C95ABC0DBE65F7F87
                                                                  SHA1:F60CD42233CD15DF45CFEF3737461402B0BE296A
                                                                  SHA-256:345C24D94A4CBE40A388B30EC9074C56BB0931EF056A0B043F15152D6BA8FDF1
                                                                  SHA-512:0C54744C24C9319565C7E8E96A818486519EF0AAFF6432E2FB5D2D88B3573FE7E2D818413D7F09CA6F6E6D5C1040BE5F35109F5AD3567CFCC656D754322D574B
                                                                  Malicious:false
                                                                  Preview:Copyright 2002-2008 .Xiph.org Foundation..Copyright 2002-2008 .Jean-Marc Valin..Copyright 2005-2007.Analog Devices Inc...Copyright 2005-2008.Commonwealth Scientific and Industrial Research .. Organisation (CSIRO)..Copyright 1993, 2002, 2006 David Rowe..Copyright 2003 ..EpicGames..Copyright 1992-1994.Jutta Degener, Carsten Bormann....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....- Redistributions of source code must retain the above copyright..notice, this list of conditions and the following disclaimer.....- Redistributions in binary form must reproduce the above copyright..notice, this list of conditions and the following disclaimer in the..documentation and/or other materials provided with the distribution.....- Neither the name of the Xiph.org Foundation nor the names of its..contributors may be used to endorse or promote products derived from..this software w

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\twolame.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26934
                                                                  Entropy (8bit):4.662386518014067
                                                                  Encrypted:false
                                                                  SSDEEP:384:cjWBIk+x/vIqk0TkX6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfWEeHBfuo0:ciBJsFkOTeDnLqFXTfleHBfuo0
                                                                  MD5:F14599A2F089F6FF8C97E2BAA4E3D575
                                                                  SHA1:8F1A637D2E2ED1BDB9EB01A7DCCB5C12CC0557E1
                                                                  SHA-256:885A03F54B157961236F46843E79972ABFCD6890B6CBB368BC7ECA328FF95A12
                                                                  SHA-512:0F3545894CF1B8D5C8B3A940BD12DEB98F18DB4EFCE5A29BFC7018C2C3C9D2F6D2B06DB48A42B8E74DE2AECD28F21BAB7F4A23FCF2B4C66791DCE3C8EDDEF2AF
                                                                  Malicious:false
                                                                  Preview:.. GNU LESSER GENERAL PUBLIC LICENSE.... Version 2.1, February 1999.... Copyright (C) 1991, 1999 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed.....[This is the first released version of the Lesser GPL. It also counts.. as the successor of the GNU Library Public License, version 2, hence.. the version number 2.1.]....... Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..Licenses are intended to guarantee your freedom to share and change..free software--to make sure the software is free for all its users..... This license, the Lesser General Public License, applies to some..specially designated software packages--typically libraries--of the..Free Software Foundation and other authors who decide to use it. You..can

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\vid.stab.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1151
                                                                  Entropy (8bit):3.93759921594655
                                                                  Encrypted:false
                                                                  SSDEEP:24:GMB/IHRWeFTbVdZdEEeMR0yY7lOkHEYlgs:5BwHRWelZdEEeU0yY/HEY+s
                                                                  MD5:53201CF410BFB81CA2676C56DD154028
                                                                  SHA1:B532F99161AEB7CC58CF59D3114C56A728C008C3
                                                                  SHA-256:E430F8C5BAE1565ABD766766DE91E1F9FA1A8B82D04B1E34039717FE56290ED7
                                                                  SHA-512:3D608FEAC9346A650E60B442964915DEE768EB3BCCDF14E92BD010D7EA21E52DBC566ADC2369FD8CF25172EC18E5B974E84F42952064E1F29A65213B50C98A47
                                                                  Malicious:false
                                                                  Preview:In this project is open source in the sense of the GPL..... * This program is free software; you can redistribute it and/or modify *.. * it under the terms of the GNU General Public License as published by *.. * the Free Software Foundation; either version 2 of the License, or *.. * (at your option) any later version. *.. * *.. * You should have received a copy of the GNU General Public License *.. * along with this program; if not, write to the *.. * Free Software Foundation, Inc., *.. * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *.. * *.. * This program is distributed in the hope that it will be useful, *.. * but WITHOUT ANY WARRANTY; without even the implied warranty of *.. *

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\vo-aacenc.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):10462
                                                                  Entropy (8bit):4.676548121343821
                                                                  Encrypted:false
                                                                  SSDEEP:192:9zOWmgG5EEbGoC2Pv0FqXFR9AT5GPM8HEWn8VqgHGOJzsp+TBK9dHs:FtG5BbhC230qOd4Hh514TBK9+
                                                                  MD5:0D9EFFEF7E37A76BFB57AD064556AAEC
                                                                  SHA1:BB9371ECC725503CE93710BD723036A99E1DFB11
                                                                  SHA-256:9B82713049AF7BDA5C5EF7EDBFB1DFEFAE27816565B24D3230E1E5015293AE81
                                                                  SHA-512:2EFF9400231EF0751318D3ED0F1BEA82A7836171AF0A7CA72C8B50C5E0964BFADBE987A39A20ABDE7B08A509778907049DD3FFB1EB67FD2CC8A2826A2C164A9F
                                                                  Malicious:false
                                                                  Preview:Apache License..Version 2.0, January 2004..http://www.apache.org/licenses/....TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION....1. Definitions....."License" shall mean the terms and conditions for use, reproduction, and..distribution as defined by Sections 1 through 9 of this document....."Licensor" shall mean the copyright owner or entity authorized by the..copyright owner that is granting the License....."Legal Entity" shall mean the union of the acting entity and all other..entities that control, are controlled by, or are under common control with..that entity. For the purposes of this definition, "control" means (i) the..power, direct or indirect, to cause the direction or management of such..entity, whether by contract or otherwise, or (ii) ownership of fifty..percent (50%) or more of the outstanding shares, or (iii) beneficial..ownership of such entity....."You" (or "Your") shall mean an individual or Legal Entity exercising..permissions granted by this License.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\vo-amrwbenc.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):10462
                                                                  Entropy (8bit):4.676548121343821
                                                                  Encrypted:false
                                                                  SSDEEP:192:9zOWmgG5EEbGoC2Pv0FqXFR9AT5GPM8HEWn8VqgHGOJzsp+TBK9dHs:FtG5BbhC230qOd4Hh514TBK9+
                                                                  MD5:0D9EFFEF7E37A76BFB57AD064556AAEC
                                                                  SHA1:BB9371ECC725503CE93710BD723036A99E1DFB11
                                                                  SHA-256:9B82713049AF7BDA5C5EF7EDBFB1DFEFAE27816565B24D3230E1E5015293AE81
                                                                  SHA-512:2EFF9400231EF0751318D3ED0F1BEA82A7836171AF0A7CA72C8B50C5E0964BFADBE987A39A20ABDE7B08A509778907049DD3FFB1EB67FD2CC8A2826A2C164A9F
                                                                  Malicious:false
                                                                  Preview:Apache License..Version 2.0, January 2004..http://www.apache.org/licenses/....TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION....1. Definitions....."License" shall mean the terms and conditions for use, reproduction, and..distribution as defined by Sections 1 through 9 of this document....."Licensor" shall mean the copyright owner or entity authorized by the..copyright owner that is granting the License....."Legal Entity" shall mean the union of the acting entity and all other..entities that control, are controlled by, or are under common control with..that entity. For the purposes of this definition, "control" means (i) the..power, direct or indirect, to cause the direction or management of such..entity, whether by contract or otherwise, or (ii) ownership of fifty..percent (50%) or more of the outstanding shares, or (iii) beneficial..ownership of such entity....."You" (or "Your") shall mean an individual or Legal Entity exercising..permissions granted by this License.....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\wavpack.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1583
                                                                  Entropy (8bit):5.043568781735023
                                                                  Encrypted:false
                                                                  SSDEEP:24:Q53UnzoF+bOYFTL+JKFT888GBTPi9H432sZEOkH09ROk32s3yetTfj13tQpzZlTS:XOYJPJuiPwH432sm632s39t313tuzTHy
                                                                  MD5:A2325BCC2B71A37B4A73A25F5026F142
                                                                  SHA1:11A6ED6365B58A6271E8822BCC13ACDB3FC57CE7
                                                                  SHA-256:2592D413ACE66C43B15282C4ED3A1DD56B3CB5E4884278197D514E8CB4CE6334
                                                                  SHA-512:B6982179B6154946A0D7ADBEEB1175DE6AD4153F041AC3193E52711901C56FD6F6F8442B20E90986DE183AC6C43F5DC688DA52871DB4C8B73A7DE8ACFE978496
                                                                  Malicious:false
                                                                  Preview: Copyright (c) 1998 - 2009 Conifer Software.. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice,.. this list of conditions and the following disclaimer... * Redistributions in binary form must reproduce the above copyright notice,.. this list of conditions and the following disclaimer in the.. documentation and/or other materials provided with the distribution... * Neither the name of Conifer Software nor the names of its contributors.. may be used to endorse or promote products derived from this software.. without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"..AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE..IMPLIED WARRANTIES OF

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\x264.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):18332
                                                                  Entropy (8bit):4.736582899910517
                                                                  Encrypted:false
                                                                  SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDT2:lzuVLiY+rTZo0sDT2
                                                                  MD5:46AAF69A91703493B666F212A04F2D8D
                                                                  SHA1:B9E28040DE9D8773C5B0CC8108869E8F3F287798
                                                                  SHA-256:DA0ECA0FB517AC939D167924C9D4B3F8750A6B7191932EF2CB145ACFA624AC7E
                                                                  SHA-512:4338956981EDED4D243272DD8B6F7D35B62EC3759609DE1A94FDE7AA427C8F976DD7CA838A818DC7286576C760A10B5A7D44BC343483A246F289099814472C88
                                                                  Malicious:false
                                                                  Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\x265.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):18475
                                                                  Entropy (8bit):4.736279406796861
                                                                  Encrypted:false
                                                                  SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDTp:lzuVLiY+rTZo0sDTp
                                                                  MD5:90D8952A7202BAA255486D8807E6FC73
                                                                  SHA1:AC8B3BBFFF3377358E9A6926C69E7638F399FB05
                                                                  SHA-256:5C77DA37C5D3DFB6B802E4619B69A47A3CE92321A20E47B0844A4B83666760A1
                                                                  SHA-512:8ABF2E7BC4446ED9FFD5C2614B4D6246D7E2D8E420149C674465E0C46552C9796266F186BEDB243E4120C20D29E5FC2D2823D7499C74B489AE062B759EF2DD80
                                                                  Malicious:false
                                                                  Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\xavs.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):35821
                                                                  Entropy (8bit):4.622128610438848
                                                                  Encrypted:false
                                                                  SSDEEP:768:A7Y+tNdSz3ZlqXOWoInuzx3Y8N3WiYD0v:AVtNIq1uzZY1C
                                                                  MD5:3C34AFDC3ADF82D2448F12715A255122
                                                                  SHA1:7713A1753CE88F2C7E6B054ECC8E4C786DF76300
                                                                  SHA-256:0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B
                                                                  SHA-512:4937848B94F5B50EA16C51F9E98FDCD3953ACA63D63CA3BB05D8A62C107E382B71C496838D130AE504A52032398630B957ACAEA6C48032081A6366D27CBA5EA9
                                                                  Malicious:false
                                                                  Preview: GNU GENERAL PUBLIC LICENSE.. Version 3, 29 June 2007.... Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed..... Preamble.... The GNU General Public License is a free, copyleft license for..software and other kinds of works..... The licenses for most software and other practical works are designed..to take away your freedom to share and change the works. By contrast,..the GNU General Public License is intended to guarantee your freedom to..share and change all versions of a program--to make sure it remains free..software for all its users. We, the Free Software Foundation, use the..GNU General Public License for most of our software; it applies also to..any other work released this way by its authors. You can apply it to..your programs, too..... When we speak of free software

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\xvid.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):18327
                                                                  Entropy (8bit):4.737165188068356
                                                                  Encrypted:false
                                                                  SSDEEP:384:1q2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDx2:1zuVLiY+rTZo0sDx2
                                                                  MD5:9E865F6174E00936D7BE7B816B3FF188
                                                                  SHA1:E64C9C36E85D2022A45A3D4CB0F196C01F216072
                                                                  SHA-256:40A8C1EA469C6813413443DF59115ECC781421CC7D184839CCC7C9F54057A283
                                                                  SHA-512:FC1CCB590D07D25403B98C6120253CFD0BD24437962BED65B83B3806EEC26DB0A02B92804B3A292E4E44DC558A264DB00EFE7B348D7F70F4C19B43FA9002E2C8
                                                                  Malicious:false
                                                                  Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Public Li

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\ffmpeg\licenses\zlib.txt

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1130
                                                                  Entropy (8bit):4.564792896349799
                                                                  Encrypted:false
                                                                  SSDEEP:24:jmAmxsMvvcxAbr2tQNNMTpxGvNbyo8POABt:tH4vcebyt6NMTpxe1ypWqt
                                                                  MD5:732FCF427DACB61BD341CCD70A78ABBA
                                                                  SHA1:575079B9642564BCF53F49F9B7913DC7BC80D577
                                                                  SHA-256:B9091018A7AD4C89E57DCC926F1FF7CA1B7D807C8448A0E2B530827DB041DD16
                                                                  SHA-512:3642FA7227865B629D36780B9B20D71F687DBC30BAFB996D92EAACC8544E8D78B2402329796B204391CF2D946B9B15830403BD1994A9CEC93E64D0A5CEC6EB01
                                                                  Malicious:false
                                                                  Preview:/* zlib.h -- interface of the 'zlib' general purpose compression library.. version 1.2.7, May 2nd, 2012.... Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler.... This software is provided 'as-is', without any express or implied.. warranty. In no event will the authors be held liable for any damages.. arising from the use of this software..... Permission is granted to anyone to use this software for any purpose,.. including commercial applications, and to alter it and redistribute it.. freely, subject to the following restrictions:.... 1. The origin of this software must not be misrepresented; you must not.. claim that you wrote the original software. If you use this software.. in a product, an acknowledgment in the product documentation would be.. appreciated but is not required... 2. Altered source versions must be plainly marked as such, and must not be.. misrepresented as being the original software... 3. This notice may not be removed or altered fr

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\gallery.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):881312
                                                                  Entropy (8bit):4.972555079322372
                                                                  Encrypted:false
                                                                  SSDEEP:24576:N/EE4ep3sZLo/m4LEOS2sW2Yjf9+PiRUgyjFh2/EE4ep3sZLo/m4LEOS2sW2Yjfs:hqjEqjd
                                                                  MD5:2D96544118F92E8D045BA8764DE00567
                                                                  SHA1:CE2827409E19CE8F59DD8229836C293906340041
                                                                  SHA-256:DEE2A8B40FB8ADD3545205E4E7443CAE2CB766922C137FF6FA9FB32C0C2303F0
                                                                  SHA-512:53DA7B82EAAAB1BCCF26A7E6807113ABD58B326DEB113B0278D37305A2F49C37F9C007BC0FE5163BA51C15DF800306323D7E1692522FBA60A5CA343CE6D9520C
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.... r..NPMS....B...NPNE.....NPE3......U.9....=....w\.........?.8....M#...h}-....M.......x............,.....o.%.\..:.......99..........(,................(R........$R...(,..........p.........(.(\.......]...pC..@..QX(.(.....i...(.(,(.(\....dI;$.D...D"U..l(..(.....(.(......k.tt.$t$.....l.].$.....l...........l.....t...u.....u.X.......t.....u...........(.(.........(.(,((.......(((,........((M,........((.,........(((.X........k.tt.$t$..................................................................(((9((X......(((,....1....4pD^o..N z((X......(((,....1....4pD^o..N z((........tt...R.........................................................................................((...........k.tt..........................................................................................((..........(.(,((.......(((,........((M,........((.,........(((.X...t$..k.tt.......................................................................(((9((X......(((,....1....4pD^o..N z(

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\hotkeys.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):58645
                                                                  Entropy (8bit):3.800276694440904
                                                                  Encrypted:false
                                                                  SSDEEP:1536:z+BFccUIIvccNIIMjGyIeGyIGmGyIVGyIMGyILGyIF+GyITGIyqGIyEGIyf3GIyP:yy8
                                                                  MD5:74380CFDD501CBBC11FF0912C2BF1EAE
                                                                  SHA1:2FAE9DC96F06C58D5AAAD4830E344E97C86F8EC5
                                                                  SHA-256:050D878A02DC969D30315B1352B88E550D4B47650E0F0E025457071D1F5C88EF
                                                                  SHA-512:9A1306046D8A0B4F0048723EC7D092F45EED091C5913840CB292FBAE85E3AAAE6AE2E3F926D956D737F0D4D43FAFB8A96CFC67F09A252D83F3687380B8533918
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....T.......p....:......A.....s}.....p.j......n...n..Q.....n......WA........>{...#...]........P......W..................=.$l]O..$.]=m'.....W..........H............A......e.cPc..W..c.........n......W...A...%.....|..?...+.4....n............m.'=|....'........'.$.|...T.1...h.=.....1.....r...I.r.8...W.........1...h.=.r..................W...8n.......W...........W....7......W....!.......q...=$m...$.............................................................................q8n.......WA...Q.^-..Axe..B.J@...q8n.......WA...Q.^-..Axe..B.J@....W...8n.......W...........W....7......W....!.......q...|...]..............................................................................q8n.......WA......m....&.8....q8n.......WA......m....&.8.....W...8n.......W....n......W....7......W....7.......q...O=$................................................................................q8n......q8n..................W...8n.......W....n..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\lightLense.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):267184
                                                                  Entropy (8bit):6.401181616245695
                                                                  Encrypted:false
                                                                  SSDEEP:6144:Ye2xFe2SU70EJdfqstDdd0sssssssSt/mBY8Q4LtbAC10iZT:YLuO0EJdfqgT6lmBYXotEMnZT
                                                                  MD5:52009C3946C68D9A2F3CCC88BBAEE0A9
                                                                  SHA1:386824DE33957E4083001108376B05261412EBE4
                                                                  SHA-256:E06314B91DE11F3A2703B55D4178542AB8985565E503DBEF276D0427D92511CE
                                                                  SHA-512:A2459EED7451521AA6708E78B9CE837D9758AC58452B99D949D08F25149DA64891CD7FF56B5050DE4256E9A649A30F490F8457C56EF55C00698C2D5B7B04BA88
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....0...NPMS....B...NPNE.....NPE3......[.&....M....g..V........:........h...+BV..p.....V.uV........V3V.......%.J...iJY....$V3&&....'...V3.........V38.......#.x....Vx..#I...V3.........V3\V.........8......j.5..u...N...^...V.V.........V..8......Z{.....j.@.&:Z...8........8.8....I\I..#\....\..I.....x.......>.....#.....>.......l.......x.#.....I.....V.>.x...#..8.V.........8....~..................p...........V............8....>...#.\...........................................................................&...~..............bW.X.\..%U(mQ....~..............bW.X.\..%U(mQ....V.....I..#\........../C...~..B...-~...M...M...r.......C..N....3..,V.......J...8...!../~.......M............8....>...#.\I..#\.....)...E...Y..!....!.......Y..K....V..N.../....C.......E..NY...E...j...r..P....V...J....V.................mQ...3:........8.....I..#.......V38.K......V........#......\I.#.V3.........V3\V.........V&.......V.8....~..................p...........V............8....>...#.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\lightLogic.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1904210
                                                                  Entropy (8bit):5.5640942002608265
                                                                  Encrypted:false
                                                                  SSDEEP:24576:bar9SfSiZDswAEN335Rr9SfNiMVDxAENsAS8N5Y:bar9S5F35Rr9SYL
                                                                  MD5:45FCEA5BD3826E0659BC45F36EF7AD98
                                                                  SHA1:8278EE8F859AB098C7D69C5636D93E0B00385736
                                                                  SHA-256:5034B3D1CB1E96865276D133C00A3119D6F8E8E0DDE54993BDBCDFF7C3CCE2E2
                                                                  SHA-512:A13D4582F2158933ABD9EF32FA9077E8A5D762BC3E07ACC6AF8CAAB30BCA801CD107EBCB366B4D6C7B6D4E9D49E0C488202D13CF5244D643D396D97FC7151787
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3.....Z...^RRR.RRR..C......RRR.u2..........q.....RRR....^RRR.RRR.....RRRQ.v..-}C/..R..[....^RRR]T.R....^RRRRRRR.....RRR....:3...:...0A.R....^RRRRRRR..B.^RRRRRRR..C.RRR.F_48FO..;./..W.....^RRR.RRR......C.RRR.>...f.d.!.R...`....RRRR...RRR0B0;z.BA;R.R)R.R.RAR:RoR.RZR.R.RiR.R.R.R.R.R.R.R.RGR.RxR:R.R.R.R0R.R.R.R.R:R.R.R...^RRR.RRR......U.RRRR....^RRR.RRR....^RRRRRRR....^RRRRRRR....xRRR.0;z.BA;0.RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR......xU.RRR.....RRR...y.><B.Dv....M..xU.RRR.....RRR...y.><B.Dv....M.....RRR.0;z.BA;0.RkRn.g|b.g*..g.m.g.l.gz..g6b.g..g_l.gt..gt..g...g.W.g.D.g..g._.g.P.g.D.g...g.b.g.gt.......RRR.0;z.BA;0.RkRm.g...g.g.P.g.n.g_..g...g.\.g.@.g_.g.P.g...g...g@P.g...g...g|a.g|\.g_..g.W.g...g......^RRRRRRR......U.RRRR....^RRR.RRR....^RRRRRRR....^RRR.RRR....xRRRi......kB0;z.RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR......xU.RRRR..xU.RRRR....^RRRRR!u...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\lightRig.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):11709
                                                                  Entropy (8bit):5.315779721306656
                                                                  Encrypted:false
                                                                  SSDEEP:192:p7BOB92tHfqy2qxMPtTdRUK2CU1IJBvcvaPINjNW+VLcKscJKUIY:p7BOB94fqQ8Rv46CNjNt2FcJKUIY
                                                                  MD5:39004ACFA74F4436BB6FE53034CB2AEA
                                                                  SHA1:AFAF247DCEA157CEB615799155D23AE3AEC8B357
                                                                  SHA-256:D416F3D3DFC8E6C07C967C237EDAD7F2E2558931FCABB3BA170B414D814FD670
                                                                  SHA-512:4412745B243A1EFC337973E520E3540EFB403E60D826219E59A6CADA527FF94B9DCE5BBE314AD76D6084D6F7E1121E54D043FA738B2E4878552F91AED18320A6
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....=-..NPMS....B...NPNE.....NPE3.....i.pW...........'.'''q....h.}....D*.8u.v.'p.......'............5q...KU.O.........2f\..WW.........Z5..........j...Z$...`f.....f.w.$..Z5.........-.........Z.Z.q....iG....Z.~.....Z.Z.........Z.Z5Z.Z.q....\......O..O...Z..Z.....Z.Z.....w-w.3.pw.............{...i...............#.t........ .......#.w.f........f...Z.Z.........Z.Z5ZZ.L.....ZZZ5........ZZ.5........ZZ.5........ZZZ. .....$...-w.3.pw..................................................................ZZZWZZ L.....ZZZ5q.......R.-(&....}.ZZ L.....ZZZ5q.......R.-(&....}.ZZ......#w.3.pw..$...MA...A.... vcA.... ... 8.A...A.... ... .hA.... ... ... .. ..A..eA..l. 8.. ... .K. ...ZZ.......$...-w.3.pw.. ... .yA.8.. ... ..A.... ..A.v.A... N+A..nA... m.A.vyA... ... v}. ghA... .]. .S.ZZ..........Z...........Z.Z.........Z.Z5Z.Z5... ..../....Z..........Z.q.......R.-(&....}....-..WW.........Z5........../.....$...-w.3.pw...Z5.........-..........-Z..........-...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\listView.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):35171
                                                                  Entropy (8bit):4.032589651538287
                                                                  Encrypted:false
                                                                  SSDEEP:192:VDtv8mIJQbzDnlsyoXiQpm/QZM8F0jR5Yt5U5BpcL4g5l+M12BfOEeSeOaz1t61+:VJIJOzDnCNrmm5tKo1hAOEeRRl
                                                                  MD5:407BDD5A0247381043829243A66D7F8B
                                                                  SHA1:CC99C78CBDFA4184E1AE292489D4E2BF072E568E
                                                                  SHA-256:E7022013A1CEDC590E7CF1037C56995C99F76793873846D116B85F007A46BE47
                                                                  SHA-512:7DE9CF2434208DA6D205141C02201FFED1EF314BDAFB16D1B6111CF470296393651A368BE8CC849A0CC2E94C3D13E0BCF14D6DBF67454143B365A3D2178421B8
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.......NPMS....B...NPNE.....NPE3.......(Giii'iiifITF.FFF.iii..$..6.g..9...D.F.g.iii..F..Giii.iii....iiiU..C.q:Tm...i.e...((GiiiV.ii....Giiiiiii...f8iii..$..6e.....e$.9.i....Giiiiiii....Giiiiiii...T.iiiD......B^...-..)....Giii.iii......T.iii..2hM.:B...n%w...c..iiii....ciii...}$....igi.i.i.i9i.i*i.i.i_i.i}i$i.i.i_i.i.i.i3i.i.i.i.i$i.i.i.iei.i.i_i.iei$i....Giii.iii....c..iiii....Giii.iii..g.Giiiiiii....Giiiiiii.....iii..}$.....9...iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii...(.....iii.....iii.c....E..A.y#1.|.....iii.....iii.c....E..A.y#1.|..c..iii..}$....i..0iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii..c..iii..}$.....9...iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii..c.Giiiiiii....Giii.iii.......T.iiiL..M.QF...kQ).%..c..iiii.....iii9....}$i.gi.i.i.i9i.i*i.i.i_i.i}i$i.i.i_i.i.i.i3i.i.i.i.i$i.i.i.iei.i.i_i.iei$....Giii.iii...T.iii((vMP.jTm..A.Dah&

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\loadSpace.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):280803
                                                                  Entropy (8bit):3.677790604289785
                                                                  Encrypted:false
                                                                  SSDEEP:6144:mRC61NwDojVz16Bc+b6CcFNjqs0FSQNSEykG6kgVcbYgKO/Yx+2XvOqc3reOANM9:K
                                                                  MD5:08628E13F75AAF880FCE312EF8D8D8FF
                                                                  SHA1:A20F82857ACCC079B7952081BA32CD0ADEC804A2
                                                                  SHA-256:8D2EED2AC87DAED5E8682DE298EC1E3FD90E536D4CB2BFB1CC5A535870FAEF66
                                                                  SHA-512:11096EEF718D2C0E7AD739071C8DF06832DE32D5199126EEAAF807F18E841C3AFB1EC9FD2A0DD9F4133CADBD80876658B121558C27CD74484D247842F2F17480
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....cH..NPMS....B...NPNE.....NPE3......Yl.x...L...S..V.VVV....y&.....p.u.jR....Vlc......V..x..................:A..):.J........x....J......x..........S.....uXJk...J.kJ.X..u.....x...........x................,.....S+..........x.......................>S..yR..............................J..........k.........J...X...9...............z.k.X.J.............k...X.....x...*....................x.........c.x...........x...........z...........J............................................................................z...............W .@..w0.".....z...............W .@..w0."...................J.J.................+..$...............J.......J.....Z...F...#w.............6...|......F.................J......HHHHH................................................T...T...T...T...T.......K...;......x........................x.../.....c.x...........x.../.......z....J.J.XJ...k...J....J.................................................................z........z........Ycx...........

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\logic.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):196967
                                                                  Entropy (8bit):5.005479065375053
                                                                  Encrypted:false
                                                                  SSDEEP:1536:aqCqdoAQmh0Cqni7w/LpzM0j24ybbZxuwzfMBprkPwl94o14IOl3hbaiw6WiO7u3:8troVmng0xLa38zeLl
                                                                  MD5:2017A2820602BEE0A6C5C864827B55FF
                                                                  SHA1:17416CEE4D802E169D84A76112D8374D8B5662CF
                                                                  SHA-256:DAA663B50B1C690049544AA1375DFB8E6F0906FC63521C2AD4EE3A0ACA855247
                                                                  SHA-512:BC0528C1CC35C4F890553CF34377E2DA75FF64F422E3BD3093B3BDB054953F1854927A85532537393E291555D890BFB2DE84D7BCEC8420816734B2E75EE4257E
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3......n. ^^^.^^^".6.;...K^^^.y .t.._..j ..{;...v^^^v;..; ^^^v^^^;.;.K^^^.{...6....^N.Q;... ^^^,.^^;... ^^^^^^^;.."E^^^.....>...;...O.^;... ^^^^^^^;..; ^^^^^^^..6K^^^.q.D.p.t.8...ZM.;.; ^^^v^^^.;....6K^^^...f....?.o......v^^^^...^^^..O...^^s^.^.^!^.^O^.^j^!^.^.^.^.^.^!^.^.^<^.^W^.^'^W^q^.^.^.^<^.^.^W^;^.^.^.^.^..; ^^^ ^^^.......v^^^^.... ^^^.^^^.... ^^^^^^^..;. ^^^^^^^....q^^^....<.O...^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^......q.v^^^v....K^^^R..Z~f..\X.u:.....q.v^^^v....K^^^R..Z~f..\X.u:......;.^^^<O...^......^~...9...]......9...........sh...W......h....2..h...|........>..|h.........^............^^^....<.O...^.......r...K...................rO..|...^............!..:....A.......Z...q...J..r.......; ^^^^^^^.......v^^^^.... ^^^1^^^.... ^^^^^^^..;. ^^^1^^^....q^^^.<O..<....^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^......q.v^^^^..q.v^^^^..n. ^^^^^^^...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\nudge.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):31685
                                                                  Entropy (8bit):4.154351651070659
                                                                  Encrypted:false
                                                                  SSDEEP:384:6zrG+2szgmSHDPIRL3DTO4RfzQ5OMuMpiVib6BqbXpWm3:cCuMuMYDBqDz
                                                                  MD5:2EB8ED25A9C8D52DF3EA981B8B17A573
                                                                  SHA1:5E8E3EC8EC1E79F8DD0EEE84935C8EFE7601D8D7
                                                                  SHA-256:CA20D954F5E394B7AF6FF1EA0B5E25F694C6D5C77F00D2B63CD363AB33373FB5
                                                                  SHA-512:9834707E2B10E701CF11E2412D1CE2C97281942186EF15B298E05134BA62E4F8A4150CD240DC3276CED58B887A4B6DBB29F0C93C097F7D7C54F2B7A568273075
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....E{..NPMS....B...NPNE.....NPE3.....)..........Tc.`.......6...*_........y.`......`.X`.......`P`a....^+....:.{B.DZC`P.......|..`P.a........`P.T-....IB..Z.B`.BZI...`P.a........`P.`...............V/.:.w...g....`.`........`.a........E6...xTWy.3..T..o.......o.....].B........M.j.......M.)..B...I.M.....n.<..[.<.\...I.B...Z.<.`....Z.I...`..........a..o(........a...........a..........`a...........\....].B.B.............................................................................\(.......a....$o?.y...4.+.~.....\(.......a....$o?.y...4.+.~.....o`.....].B.....B].3...3.b.3...3.O.3.~C3...3..V3..3...3...3...3..V3.}.3.O.3.s.3.bF3.q.3..F3..3..f3...3..o......].B.....B].g3..g3..^3..3.qF3...3..F3..3..t3.s.3...3...3.Pt3.g.3...3...3.O^3...3.x.3.~g3...3..R3..o`....|.....oa....a.~0(.......{o:...o.\....ZI..............................................................................oa....%z.....`W...m.f..o.\.....BI.........................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\elevation.css

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):363
                                                                  Entropy (8bit):4.8162869893302345
                                                                  Encrypted:false
                                                                  SSDEEP:6:K5ucKVpoK0cT0hnGmmxof1MC8XyqXgyjgG0fuC2mny5PEzmxoRKCmxn:0QVGK0ionGvx61M6qNjgxZbny5Pvxzxn
                                                                  MD5:F07638987C0BB72C42EAA04D92B99C41
                                                                  SHA1:4BAF05DF9F7FB0791FAAD3F13838DD617D75C0EB
                                                                  SHA-256:864E14B9A7977F50E68DE42E9F285F311765CC1ECCDDB36B1E9D5291B572A597
                                                                  SHA-512:A2CBC98F85BEB8A8C01B50A2D87CD80D4C4878EE24EA27D215B34AA5EF7E0BF5772C1B36AD916383ED3A7C1B0F0E5BA8A4E997691966786242B1A879ADDC24D3
                                                                  Malicious:false
                                                                  Preview:h1 {font-size:20px;}..h2 {font-size:15px;}....a:link {color: #000000}..a:visisted {color: #000000}....#header {...text-align:center;..}....#wallindex {...width: 700px;...margin-left: auto;...margin-right: auto;..}....#indextd {...width: 350px;...text-align:left;...vertical-align: top;..}....#wallinfo {...text-align:center;..}....#footer{...text-align:center;..}

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libeay32.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1177600
                                                                  Entropy (8bit):6.7242723517544425
                                                                  Encrypted:false
                                                                  SSDEEP:24576:mIfI8mB7k7u58tRIqQaSp11OHpkfwnJOvsuzs9LwmaUbZs:mIgvyUYk1oO+9Lwm3Ns
                                                                  MD5:6B854FFC12E5E2C32683A03714CF6C5D
                                                                  SHA1:C8E5C0F57E18DFC5226FF0BD5BC63607E1754C66
                                                                  SHA-256:95550B81825AE3FB4298B0DE1F7EBD116754D99483A6D73CC7271E002484A928
                                                                  SHA-512:92B8908875B3376D60B19BB0E812B678870C70D708A278C781BD7AD30FDC96464C2038D578152AB7C2E7394F089BA399A55B5D5D7B7179A321B1BD1EF28215BD
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..H...........#...8.........>..`........0.....c................................~A........ .........................Td..............|5......................x....................................................................................text...............................`..`.data...@....0......................@....rdata..X.... ......................@..@.bss.....<...............................edata..Td.......f..................@..@.idata..............................@....rsrc...|5.......6..................@....reloc..x............R..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\libgcc_s_dw2-1.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):43008
                                                                  Entropy (8bit):6.5893492509549665
                                                                  Encrypted:false
                                                                  SSDEEP:768:sZ1l+WCdhTcpKn+CwZoyf/dadEU9mRWtyTN:41l+WGhIKn+CQ7EyW0TN
                                                                  MD5:C4B4409F186DA70FCF2BCC60D5F05489
                                                                  SHA1:056663C9FD2851CD64F39D882F6758E7A987BD42
                                                                  SHA-256:B35F2A8F4C8F1833F3CDEC20739C58E295758CE22021D03D4335043148BD7610
                                                                  SHA-512:CDCB945A82A0304E4D7CFC9AE9D7E5A5E81D4E3025E982494C87C283F6FAC542181E9E1E3028456B9B0B5B6279990CB3E1A50F9DF0F6E707C70FA0E23C7A808C
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."A@J...........#...8.z..........`..............n................................1N........ .................................T...............................0....................................................................................text...hy.......z..................`.P`.data...(............~..............@.0..rdata..P...........................@.`@.bss..................................@..edata..............................@.0@.idata..T...........................@.0..reloc..0...........................@.0B........................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\mingwm10.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):18207
                                                                  Entropy (8bit):3.9967679971795085
                                                                  Encrypted:false
                                                                  SSDEEP:192:+TsXMiCYR10ozzITon1FBzAxUMWSsnMG6BEM9C2JQ2ITQk7x+v:+YRCkmo3n1z4NRs/oJ
                                                                  MD5:F54E240FE3CC87B24A50380D90FCD496
                                                                  SHA1:F278D84D8E433597EC39AA2B42D221585CCE3B2B
                                                                  SHA-256:601BFA790516C808E427A329F290587B5E2D7FAEA3B1681D6E98EF37F8B8F732
                                                                  SHA-512:B9A2EA6C9C0C71A4F6FEC457A365676B202A31AF48F057072C365E64DF8A5A6D6DC1996B481CCFC755819C23A3EBB67ED5FB7B47DCD7BCC3602FEB94ECA83A5B
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$.J.".........!...8..................... .....o.......................................... ......................P..x....`..l............................p.......................................................................................text...............................`.P`.data........ ......................@.0..rdata.......0......................@.0@.bss.........@........................@..edata..x....P......................@.0@.idata..l....`......................@.0..reloc.......p......................@.0B/4......6.............................../20...................................../32...................................../46.................. ..........................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\source\libwkhtmltox-0.11.0_rc1.zip

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                  Category:dropped
                                                                  Size (bytes):11544270
                                                                  Entropy (8bit):7.996831371443976
                                                                  Encrypted:true
                                                                  SSDEEP:196608:0zW04O1BKsCADynVDaJolSk80oxmlpZYdjznu2oWYLT64etpA0yBTbXmosdoa9zX:0H4mkstDync+qIHZ8jLBoWYX64evcBH+
                                                                  MD5:5D674EFB8F5CBA1A508F39B81C741984
                                                                  SHA1:3029E7293268175C95C283DE8C3B3E421C50021A
                                                                  SHA-256:7E6094CF85259374775056CC7C17F4C5363B9B4CD750ACF64DFD21CED408B0FB
                                                                  SHA-512:B1F8CF0B27D4119A40639F178D9EAF22639F069AF4776AD5DB36B96A5BB5F97FAD5F052F3F96B825D2164B860E7A6300D503A5C372DAF58A62E2F3BE4C2DA5D0
                                                                  Malicious:true
                                                                  Preview:PK..........B?................lib/UT...K..NK..Nux.............PK..........B?d....&...P......lib/libwkhtmltox0.aUT...K..NK..Nux.................E..;!..E...0B....I......2!!.....~&.f:...7.23.......DDDEE...T..e..Y..U.p8.r\..uY..........=5.f..n.I<..s!...v....nm.V.X.p.R....d<e...v.......x.....-k...........Ae.;TF.P.5Ke..T..Q..%*{..2.;*.5T..r.z*...T.r.6*.....2...7/..[....*7m.........[.Qy...w....+..9K..|p....r.r*.^K..R.?A.wS..a*.]N....<.../e.|.q*__K../R..b*.....<v".....CT.oQ...T~.....T.~..OvQ.._R..>*?.9...L.....l..s.R...T~u...y......#T..L*.9E......Q.......r.r*..R9.E*..P9.a*.8...Qy.sTNOPY|=.3.Sy.:*g.........b!.s..r...\..T.1*...^..:..wR.h1...LeC..._R.d..-3T.>Aep....*#wP.u...wQ..{*W.Ne..*c{...Le.f*....wQ.<E.......d......J........~C..k..r..w.@.....*...VS...T>...G.L......'?E.T>.4...._R.r...N..{.|s..G...ET.w....Syb../P..^*?.k*O....T~..T......T~q".....T..H...R.....7S..a*.6K.7.Ry.I*..E...m.|.Fe....+...QY.S*//R9e!.......v*g....=Fe.&*..He. .s...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\ssleay32.dll

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):232960
                                                                  Entropy (8bit):6.307466559047116
                                                                  Encrypted:false
                                                                  SSDEEP:3072:ZWzfAQwIlcdCwM3ypapbIKi+DTJrDsUmBmeblip8vqkcfFQQka5Jtrhr:0TAWlcdk3LpbIR+prD0Bm6Gkai+JN
                                                                  MD5:37580B9354E984BF7C1A2B4ED7FA824B
                                                                  SHA1:F750F7B6214F5D03D4D6BB40A15B93B6F0820354
                                                                  SHA-256:5E0FAE7FFEC8DDBAA5D6BE610AB99F6A3B671D957A6AA601091ACB0DAE1921DC
                                                                  SHA-512:78A02D26007BA9631C85E7B0D1209ED1B854C21E348986039BB74782240B432234DB493A5AD0EFC6100BEB5E9C82633CB3B3E93E282AA686124FFC31E0483D5A
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`..H...........#...8.t..........`.............8l................................i......... ......................0.......P..4!......|5...........................................................................................................text....s.......t..................`..`.data....%.......&...x..............@....rdata...\.......^..................@..@.bss.... .... ...........................edata.......0......................@..@.idata..4!...P..."..................@....rsrc...|5.......6...:..............@....reloc...............p..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\pdf\wkhtmltopdf.exe

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                  Category:dropped
                                                                  Size (bytes):8564736
                                                                  Entropy (8bit):7.937142560747175
                                                                  Encrypted:false
                                                                  SSDEEP:196608:mdZ/DsyCTjOeUGs5AaLC4dDmw8XLfX5+mLNb3uCiVeIMpM:6CTqGkzC4dD8LfX5PLh+FH
                                                                  MD5:A81170F8841876FC808AD77EAA4AF956
                                                                  SHA1:04FD94F33F4518BB42A8E05D1DD7EBF33EF3A472
                                                                  SHA-256:91DDA652A54932DD74559C4751FAF19CE8B62B593BEB3A0473FC245C94EF1791
                                                                  SHA-512:F8A2851D1708A7EEC881E9A50B486536DA9A6E6B129275DF6DB329369247025F5585F02BB3F3AADE3C020C25F9AC62758EC298A309F4D5E106F1976CA74DA621
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......N...............8..........P...... P.......@........................................... .......................... ..........................................................................................................................UPX0......P.............................UPX1......... P.....................@...UPX2................................@...3.03.UPX!.....rT..1.......,......Kn..U.....`......f.......S 4..$P.@..........Al..k..E|.E......D$...V............f....J...b}....F....uJ.....d.......C,...\3..................\..E......$#....^..T.....C.Q..'0....P.w.t&...w...t."....T.....0B..&.?.....^..E.~.=.".w;=...9..rK.g;Q.....w........,....1........[]....tY=...=.uop.u..=.._tE=.'.o.K...ts.t.).v....d...._1......m{.Q".n..n`1..i.......-^1....I...7.L. W...u..0........w........R.e..]\.".(..,...#.5../..j..8.T..J..t1.)*6....Ndt...U\..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\plinths.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):128993
                                                                  Entropy (8bit):4.430658949944898
                                                                  Encrypted:false
                                                                  SSDEEP:1536:9wQHkKeEJiu+McQsf7OYaAcWafJqlZjtGf2:9fE6Jiu+Wsf7OYaAcWafJqlZjsf2
                                                                  MD5:A97A49F4F98C19A1590C2AD0082DAE85
                                                                  SHA1:394E1B0EF4909E518CB812E6D373B414A79E0237
                                                                  SHA-256:298F4372EA31AFED2D8BD70AE92CF52293E9630110C8AFE0CD9791218ACD9D54
                                                                  SHA-512:199A3D46CF18B52F3E9B460F4D03498976DFAD77C06B7D4AE3CC2A161B71F7564C7FBA9F73E6DE54CF6765133A625381FACDD4A4BBA9BFFE2FDF7316731C4A37
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....a...NPMS....B...NPNE.....NPE3.......`0.eee.eee...4.444.eee.....l(.6.v.9..4`G$eee$.4...eee$eee...@.eee...b....b.nep^a..00.eee..ee..l@.eeeeeee..{..eeel..n"c^.n."n^..=.e..l@.eeeeeee.....eeeeeeel{l..eee...$>.4o.^.=.{l.l..eee$eeel.l@l{l..eee.M.y..Z4......ll{kl$eeeel{l{keee.k.....eeeGe.e.e.e=e"e.e.e.e.ene.e.e.e.e.e.e.e.e#e.e.e.e"e.ene.e.e^e.e.e.e"e^e.el{l..eeedeeel{l@llk~$eeeelll@.eeeeeeellG@.eee$eeell.@.eeeeeeelll{.eee"n..n"k.....eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeelll0ll.~$eee$lll@.eeehk...R..%_......ll.~$eee$lll@.eeehk...R..%_......llk..eee.......eD.n.e...k......y...................^...~.........>..&............G..]...3.......&3.llk{.eee"n..n"k.....e....~..3..E.....Q3......."......E`.........Ey.......0...~..e=...q..........s...Q..llk..eeeeeeel{l@llk~$eeeelll@.eeeMeeellG@.eeeeeeell.@.eeeeeeelll{.eee"n..n"k......eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeelll0ll.~$eee$lll@.eeehk...R..%_......l

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\prop.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):9412
                                                                  Entropy (8bit):4.23128321510581
                                                                  Encrypted:false
                                                                  SSDEEP:96:HqWIBLxY38A6c067ocfPB6McclB6et/bFxtXU5bQAeqrD7nEQOhig9tAZAzADwpQ:NYLxI8P67XB6wlB6etuk9pfY
                                                                  MD5:35887A91A064A5E60B617704B4579888
                                                                  SHA1:455F8CCD46DDB06475A943925621E265E021FEE2
                                                                  SHA-256:2E07100246A87840E080D74AFC7FF6B04FC69CAC0DFC729ED047E97756EC6D35
                                                                  SHA-512:AA8090F9A0848E0A5BB4B2E6E63AB5FFB9DC0196E4AAA2C1ED82817ABEE46DE3E07CAEF1675B1D9FDE3BBE6FA0751714C69BEA58D05B3D07214F582573EC08FA
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....D$..NPMS....B...NPNE.....NPE3................Zs.h.hhh......i...jZd~.}.....h.:\...\.h,.....\............Kl.._.d../.H.>..........................Z.....q/.../../.q{.................@.................E..$..|..,..........\......"...................\......"..."...........................|*.|.H..^...l..w..Z@..........................Z)...............\.....@.............\...\..,.........b5...Q...&.AV^.....B..F..........\..........`6..s..h._1.zg.c............\..........\............V.....:.....T...........)......."....M...q"../.q.........................................................................".\............|*.|.H..^...l..w........".\............|*.|.H..^...l..w:..@.....Z................Z..........q.../F...M...q"../.q...............@.............\...\..,.....XR?V.^.,.ufDw_..\Ay7.*LO.............1..........."o.@X..|.....Y.......................\............V.....:.....T...........)......."....M...q"../.q....H...V...............2...

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\propInfo.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):3346
                                                                  Entropy (8bit):4.309241928833463
                                                                  Encrypted:false
                                                                  SSDEEP:96:JIJdySW9Snw7HBs0RhT8s1ySkwVwV94Rs5ct:KHbW9Snw7hs0Rh8s1bkL/5ct
                                                                  MD5:243ECD846E854345161BA5DA69CC8769
                                                                  SHA1:69822ED6398EEFEEC1C8A2C0B1C7E0B2D96E561F
                                                                  SHA-256:6B084BE8AE17908006002C19C71B9C2BE56B8B16D56F679C9B79A5F762AC1091
                                                                  SHA-512:BD2105E1F6781847104DB6D8996CC272A52BFE6A2C41F44193E56D9D89061412C51F7BE9F58BF7C645C74159BB74583066C81086F3DC1A2FE9E7800947A322B1
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3........N.\\\.\\\U.R..... \\\.+..9..."hz...8...I.\\\..<..\\\.\\\.%.. \\\{.B..R..HV\^..%NN.\\\.1\\.%...\\\\\\\.%.Uf\\\...V.E.ZV..V..L..\.%...\\\\\\\.%..\\\\\\\...R \\\p.t......|.A........\\\.\\\.......R \\\..k(..R.+..|.......\\\\.....\\\L..?..E.\I\*\K\.\.\.\W\K\.\.\V\.\.\K\U\?\.\L\.\.\.\.\.\.\.\.\?\.\.\W\V\.\K\.\.\.....\\\.\\\........\\\\.....\\\X\\\..I..\\\\\\\.....\\\\\\\.....\\\o.V..?..E.\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\...N.....\\\..... \\\.aq.8^i%.o..BP.......\\\..... \\\.aq.8^i%.o..BP.....Z\\\?..?..E.\.V:\\\\.q2.\\\\\\\\.e..\\\\.q2.\\\\K.EV.\\\K.EV\\\\\\\\\C\\\Q.\q\\\q\\\*1\\(\\\~...\\\\Cw.....Z\\\?..?..E.\.V:\bbbbbbb\\\\\\\\\\\\\\\\.q2.\\\\\\\\\\\\1\ \1\1\\\\\\\\\n.2.n.2.n.2.n.2.n.2...\\^^\\q.\....\\\\\\\.....\\\\\\\.....\\\.\\\.........%...\\\T\\\.%.M.\\\\\\\.%.R \\\.aq.8^i%.o..BP..%U.%NN.\\\.p\\.%...\\\\\\\.%.UD\\\?..?..E.\.%...\\\.\\\.%..\\\\\\\..NR.\\\...<R.\\\.v.....R

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\props.bgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):486965
                                                                  Entropy (8bit):4.913786973915305
                                                                  Encrypted:false
                                                                  SSDEEP:3072:pix5x62YS7Ysh77h7YYXXH0IiTJ8bZaltBMGbsEEtO0OWWoD7022XiwO6klZ8QeL:p4762v7IpZelSr6WwahoCeg
                                                                  MD5:5ADF10672ADF0B973338B65FD71FA534
                                                                  SHA1:9E7B48528A35489501B4674C084441B73BC27DEE
                                                                  SHA-256:BCBFB50883B2A6B63D05A2145C1291AC20435B38A18880BBF3E3755BD7049DFB
                                                                  SHA-512:3BAF7937234D7B94EEE8BB4A9D4D285B1750F97187FCFB381EB6389C9A2B636A9F20D08AE3BE0520BD0C24111BCE3A78ECBFF0FA006E037F79DED2679ED99993
                                                                  Malicious:false
                                                                  Preview:QVRS....?...A3DGCGGG....6.;,Ll.B.Di.8...CGRE.....CGUC........CHCT....(.~B..D.B5e..a.CHSS........CHIT........CHNA....InterfaceCreation.CHIT........CHLC........INID....Qz.}.x.D.B.;#v.ICIC........ICITINID....O.d..dO.}.".{NqINPI.....ININP...iPropLogic..:.\.w.o.r.k.\.Q.u.e.s.t.\.J.u.l.y._.1.2._.O.r.t.e.l.i.a._.C.u.r.a.t.INIC........INITIIPM.....IIIT........IIET........IICT........IIINO...propLogic......................................................................IIISIIOM.....IIIT.....P#.=..L...`...IIOM.....IIIT.....P#.=..L...`...IIPCc...props.signed.......g...........!.......g....\>fe..C.\>fe.............0.!...........................IIPNc...propsLogic.d...........................g...............................g...g...g...g...g...!@...$..IIPC........INITIIPM.....IIIT........IIET........IICT........IIINO...categories.....................................................................IIISIIOM.....IIIT.....y.S.C.8.:....IIOM.....IIIT.....y.S.C.8.:....INITIIPM.....IIIT........IIET.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\render.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):40855
                                                                  Entropy (8bit):4.531610746633681
                                                                  Encrypted:false
                                                                  SSDEEP:768:KEsDwpS/P3JB6QVHex2Dx02+oJQlwlcHd0OHnWBxqPtjnIj6O1SB:nF4oB
                                                                  MD5:7051D6403D246CD75D1995F0BAF742AE
                                                                  SHA1:0A44A88355317EE753501B40E7608C85205FD4BD
                                                                  SHA-256:0CA6900E553285552A82BD8BEFFADFC693F9ACF09E12A6AB6EAC66038F552722
                                                                  SHA-512:99C6E82422B4A1D8056325A6E3134930F7F9A12FD5F2CA80590E81601790930410969AF6F8F7B8922EFFD8A35286D5692D24655F6D0053ABE3691E88C9FF0776
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3...............%6.r&rrr.... /I+x.....=....&r.\....&r.&.......&.&g.......z.....>.(..&........Q..&..g........&..%a......>.c..>&.>..iE..&..g........&..&................y5...&by..V..M.&.&........&.g.......{..5p.\..r.?e...7........7...i.>..>..-.\.5.....E..........>.l.....................>..i....&...........&..........g..7t.......g..........\g..........&g....................>.>............................................................................t......g....7+ .Y....x......t......g....7+ .Y....x.....7&....>..>..i..>.RT..sT...T..@T..@T."@T.4UT...T.m.T...T...T..|T...T.O2T..0T.7 T.-.T...T..sT..DT...T..DT..7.....>..>..i..>.:T.^.T...T...T.4.T...T..*T.=.T...T...T...T...T...T...T...T.-.T...T...T...T...T..T...T..7&..........g..7t.......g..........\g..........&g...................>..&..>..........................................................................t......g....7+ .Y....x....

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\settings.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):47665
                                                                  Entropy (8bit):3.6543112346951503
                                                                  Encrypted:false
                                                                  SSDEEP:384:FmPsM5vqp2zT85o1co50CZ5Mwo1uph5PyEQoxuNo7ZhopyLo1uph5PyrWQoxuNRC:UkMQ9gUJOH/LbgoqBolU9E
                                                                  MD5:48304B3F220DDC091571CEF0ACB568E1
                                                                  SHA1:2936BAF4D68326E7309056500DF924E17974C5D4
                                                                  SHA-256:A6EB05DCEBD042E8C4D44B6C3E5E2A275FB6F50BC82314560FD018BE3AE4E9B1
                                                                  SHA-512:58F1F4490D57E92F368D370F81F667F854D14FF5556D5A7B0E743358DF5393C9BA394B96D669DCABCBDCC4361E33E4C7AAD16E5105E496385E096DCA3BB754F0
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS........NPMS....B...NPNE.....NPE3........._.......hC..b...q...Re/b...[..NU...b........b..b_.......b.bGq.....f.{|.@.#...<.b..._...VW..b..G_.......b.th3.......`.<..b`.<.....b..G_.......b..b_........t..q...N....)'.!.Z.F#_:.b.b_........b.G.t..q...1..XDW[.......6.t........t.t..........e.........................................................................t.b_..._....t.G............G_..........G_.........bG_..........t....e`<.R................................................................................................._........t.G............G_..........G_.........bG_..........t.....R<...................................................................................................._........t.G............G_...6......G_.........bG_..........t..........e...e..................................................................................Gq...)..}(oI....p ,?............Gq...)..}(oI....p ,?....b..........e.............................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\switchCurateSet.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):17914
                                                                  Entropy (8bit):4.403954259392031
                                                                  Encrypted:false
                                                                  SSDEEP:192:KZQGb2+a6nlVjMZTCinZGLVBKnJGihGT/tymSZmj7m6gZmqiK4skmQmvfOqRjCSU:KZQ2vxfK2DQBXg5LjZ
                                                                  MD5:D673453212B1DC02552D79E8BAE22A11
                                                                  SHA1:C1573D5FB2CEED8EBB6FE0EEA8D4497998FE35C6
                                                                  SHA-256:5B0901899912C760805FEF83688ADE6E66F1ACC0BB33549B52766819302C8A1D
                                                                  SHA-512:52F2A1DAC30B1D10F8AA7070CF4A06290A7932B2BF02951E8C9CEC331B84E28269EBDC6B95236E621C8DF022F6EFCB037C94A89151F5D2AF39B815E1EA00F23A
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....zE..NPMS....B...NPNE.....NPE3.....:.?..kkk.kkk..Y.....9kkkmi.......r...Q...?..kkk......kkk.kkk.I..9kkk.....w.Y....k7m4.I...kkk.okk.I...kkkkkkk.I...kkk.p..)/m...).m..'pk.I...kkkkkkk.I...kkkkkkk...Y9kkk^h.v...I...........kkk.kkk......Y9kkk...i.....>Z..n....kkkk.....kkk..s.....'"..kkiksk'k)k8kik:k.k.k.k.kik.k.k~k.k.k.kdk.kSk)k.k.k~k.kmk.k.k.k)kmk.k.....kkk.kkk........kkkk.....kkkokkk.....kkkkkkk.....kkkkkkk....Skkk.s.....'"..kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk......S..kkk....9kkkJ.5..\..... .B...S..kkk....9kkkJ.5..\..... .B.....kkk.s......)m.....kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....kkk.s.....'"..kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk...N......h..NN ..N9B.N..).{...{.NN.QjN.\NN9.N.....kkk.kkk....9kkkJ.5..\..... .B....Skkk.m~~...p..p....".'p..p'...kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk.....kkkkkkk..d.kkk.kkk........I.S.kkk:kkk.I.j.kkkkkkk.I.Y9kk

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\toggles.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):20602
                                                                  Entropy (8bit):4.164439244188392
                                                                  Encrypted:false
                                                                  SSDEEP:384:T6zu6po6NZ6tE6i+6Ipx6o66s6s6s6s6s6s6PVKGxwc8z+E53JM:T77SDST4llllllwK0p
                                                                  MD5:2CADD996265CE4C396903515188B7D84
                                                                  SHA1:3467A502149DD1070EFFE851D098C78E46247123
                                                                  SHA-256:E05933EC18F4A434477523C48A629CA16E84A4D41B2042D58B7320BB633135EA
                                                                  SHA-512:2686F3C845121BD717F78F08BE6DCD698B34BAFEC4FDDCF38DF99BB5755FCE04BEC4BD86F12FABE94E2C58E9F10491B1CC44C823D4425B01F652F8658E38E062
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....O..NPMS....B...NPNE.....NPE3.......ACPWWW.WWW.Ii.....[WWW.K.q.UD..t...W...A|.WWW...=.PWWW.WWW.U.m[WWW...~.@i.~<zW.4..UCCPWWW..WW.U.mPWWWWWWW.U..$WWW.^.z\&4.z.\z4..^W.U.mPWWWWWWW.U..PWWWWWWW..i[WWW"....e.|.....&.l...PWWWWWWW....PWWW.WWW..V..i[WWW..B.g.U.j).9.C.C....WWWW....WWW.m...zV..\.WW.WaW.W\W.W.W.W.WzWOW.W.W.W.W.W.WkW.WVWkW.W\W.WzW.W.W4WkW.W.W\W4W....PWWW.WWW..icWWWCC.M..i..Ku..2.L...../..oO.^..j..C....PWWWPWWW..m.....WWWW...mPWWWWWWW..|mPWWW.WWW...mPWWWWWWW....WWW.....^..^...^WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW...C.....WWW...m[WWWe..T.5%..u.8.....m.....WWWW...mPWWWPWWW..|mPWWW.WWW...mPWWW.WWW....WWW^4LzWLzWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW...C.....WWWW..m.....WWWW...mPWWW.WWW..|mPWWW.WWW...mPWWW.WWW....WWWp4..zWzWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW...C.....WWWW..m.....WWWW...mPWWW.WWW..|mPWWW.WWW...mPWWW.WWW....WWWO.....^O.

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\videoArt.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):807440
                                                                  Entropy (8bit):5.3713230338705635
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ryvOkNKvuWPcvXHgTkfgARN6HFVNiCSOvE3:ryvOJARN6HFVNiZ
                                                                  MD5:6211262E5E484754A28D1D7F43394954
                                                                  SHA1:0CD0D63A9EDCE647B47CB8863E51213C87F3FFE9
                                                                  SHA-256:5DC588BC04D9701751A664DCDE0FD6B3B9DA535A86BA3C09FB84B15238C19F8A
                                                                  SHA-512:D4D9D3AE11F34715E001626860B70F347C0DE799B34E2530DCAC6FCC9CB34E7D9BF2570219B336A722C6B04F9682AB01F85149A2EEF8579CDB02E49F317AB060
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....Q..NPMS....B...NPNE.....NPE3........$......J.o.ooo....s./N>..z.N.}..o.:l...l.o.$...l....s.........)..9..x.H...s..$.....l..s..$........s........?x..x..x.?...s..$........s..$..............q..A]...y..>........$..................|.Q....=Ly...p(....l...............x...?.:...'.......'....x...?.'......v...v.4..?.x.......v......?.....$...2...........l........$...u.....:.$...........$...5.......4....x....x7?..x.........................................................................4.l...............\...w._e...4.l...............\...w._e.........l........$...l.....:.$...........$...........4........x...............................................................................4.l......4.l.......:$...............l........$...3.....:.$...........$...........4......x...............................................................................4.l...l........~....A...N.z..4.l...l........~....A...N.z.........x...?..x..c..

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\data\walls.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):311789
                                                                  Entropy (8bit):4.594976747266845
                                                                  Encrypted:false
                                                                  SSDEEP:3072:Dxr4uXYUx+MWRTiAoQw92S7qeorJMobK4bZa2MUar/mA:9XYUoRTiAoQu7qeor22Mr/mA
                                                                  MD5:4244806EB57EC46B453ED5633C224342
                                                                  SHA1:D94632FD59F266345403AE9C8229D3C883F15D7F
                                                                  SHA-256:F7239C651BCE832EADCCC0D03A2439608CCFB57FC4A319960C40CEAAEC21B42C
                                                                  SHA-512:F2F1450782817100FCA9691F21CD6AA2ED032902629676CEC6DA159BB38C65FC56D3D79256372552A9EB8F30D3E775EE1F86D530B7C64D17443E7290C0CB3768
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....m...NPMS....B...NPNE.....NPE3............G...C.n..........j.B*......m^....a....... ................x.ftM.n.tuo............k....=...........C....=..o....o..o..-....=....................=.=n.........h..)=..[.=.=.........=.=.=.=n....(.sX....m{....=..=.....=.=.....-..jj...-.....Y.Z....Y...E.o.,...Y...E.j...L..X.L.....o.j.-...L..E......=.=.....{...=.=.==.......===.....?...==a.........==..........===.....o.~o...jj.ojo..-..............................................................===.==.......===..........g...{F.2.==.......===..........g...{F.2.==......Z.jj,.,-.o~......t.Q.t............................................................................==......Z.jj.ojo..-...o.~o.................................................................................==..........=.=.==.......===.....?...==a.........==..........===.....Z.jj...-.......................................................................===.==.......===..........g...{F.2.=

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\licenselogo.bmp

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 309 x 825 x 24, image size 765602, resolution 2834 x 2834 px/m, cbSize 765656, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):765656
                                                                  Entropy (8bit):2.3043447885123483
                                                                  Encrypted:false
                                                                  SSDEEP:1536:LZaeqHOau99TPmv/jesEnGg1LHlznGpZQrVnMr+RycVayK605S3ED2nzXmzKDjot:la6eBcgv605LymzK/fq8zK
                                                                  MD5:624890AA5DF947F2E5229C65153EBB2B
                                                                  SHA1:C581D12210C984F7A44C4A075C37BC3704A0E21A
                                                                  SHA-256:58F9289FA83F0BCF60775147632843AF1C7B516082816B97F6B12E41FE4A1A24
                                                                  SHA-512:C7A49D52EBB3B5A10792F2893E4B0550137115AF8EF2198228B8C223CE51CF76AC97554EEE53513769B15BC4A5088BBEA9E55C768FF359A1842787ACEDB5FC45
                                                                  Malicious:false
                                                                  Preview:BM.......6...(...5...9.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\new.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):19460
                                                                  Entropy (8bit):4.7892441513068125
                                                                  Encrypted:false
                                                                  SSDEEP:384:1WIhQmlwt/xle01+oRhtrMZK/1rUb32EnlMHORQQdlC8ifrUIdSwlNxpCaNfLxxG:1WIhQmlwt/xle01+oRhtrMZK/1rUb32G
                                                                  MD5:B3C89DC07D42E54C89053372F9DD4907
                                                                  SHA1:6A4EA979A48B6B9989E3C74051D60339436316B3
                                                                  SHA-256:BD50CA555435D8D735687474CDE4BD308DAD0BDB3D6166E144F914B312D2E093
                                                                  SHA-512:2977890E052129ECB670A0CCF9E62913C3C63C1FD92D2987472A0EE1B4A4BE29E578A20109461E281BD02FFF98018486351D45CE050FA8D38744C9834CE916C3
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....K..NPMS....B...NPNE.....NPE3.........n777[777.......I777...5.....<........*57775....n7775777...6I777;.i.^.G..^l.7.2....n777:.77...6n7777777....-777..R.j....j.Rz`.7...6n7777777..a.n7777777....I777.y...@..mT.........n7775777...6....I777J..{.#.a.3.|.}".....57777.....777z..7..737*7.7.7.7`7j7B7.7.7E7.7.7R7.7.7E7.7.7.7.717.7.7j7R7.7.7z7.7.7.7E7j7.7R7....n7775777...6....57777...6n777.777..*6n7777777...6n7777777.....777...j7.777777777777777777777777777777777777777777777777777777777777777777777777........57775...6I777..J+f..a.ki..<sL....57775...6I777..J+f..a.ki..<sL.....777..7...z...07777gs..77777777....7777gs..7777....5`.....777777777d7774a.s777s777.e77r777.A57777\.A.....777...j7.z...07.......7777777777777777gs..777777777777e7I7e7e777777777X...X...X...X...X...uu.8..77s.7....n7777777....n7775777...1....I777V.s....g....QD....57777.....777.......7777777777777777777777777777777777777777777e77777777777777777777777777....n7775777....3777..@(Pc...].k...m

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\project.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):699328
                                                                  Entropy (8bit):3.5664334921789873
                                                                  Encrypted:false
                                                                  SSDEEP:768:TcdpMKzC6Mt22t6cVDzB/QjziX3yWrYJa/iHTBAgqgTt5Rr8+tPUN9WdW+3lpSya:TlwBlAh
                                                                  MD5:EFD22FBEC2EF90026F28C782305C4F0F
                                                                  SHA1:FED03C489BCA9C7520D97771FA0B21778F68C07B
                                                                  SHA-256:35CBFE95DA1A28ADC3C96036B920B3AE5604244951DB0A61395DA7B0C091AC26
                                                                  SHA-512:06BDEC8E01DA59457AEE82D80BDF8988703C423693DDF464C7DBEB3FE2A923422FDD0E5AE685BE1BC91630E3504F8057E94BCDCEC0F61571C0D28A2B88569B1B
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS....@...NPMS....B...NPNE.....NPE3......Xa.P...G...:.C.CCC....2b...x.<6...^O .Ca.....C-.P...............7...5.=.d5...!@.....P...........P..........:....B...@N....@..B.....P...........P...............qF.r.:y..6m..B....P....................rgB.......fd....................N.....2p.'.+Z"........2p......2p..M........E.2p......2p..ek........E.2p.....P......................P...........P...........P...........j...N@kk.....N.........................................................................j................r.....>...'{2H..j................r.....>...'{2H....N........N..B...W.Z..Z...ZE..Z...Z.o.Z'`.Z.`.ZWz.Z...Z7 .Z..Z.0.Z.l.Z'.wZ%!wZ.IwZ+.wZ..wZ&.Z...Z.J.....N........N..B...z.Zy.wZ..wZ..Z.V.Z...Z0D.Z_.wZ..wZ+..Z...Z..Z..wZ.W.Z7YwZyIwZ+V.Z0PwZ...Z'\wZ%..Z.!w....P...........P..................c..1..B.8.Z....5.............j...Nj..B.@.B}.B......................)...k....b.....j......k...@.........@......P..........Z........}p.d...(X<..S

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\reLoad.cgr

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8811
                                                                  Entropy (8bit):4.4314106040712575
                                                                  Encrypted:false
                                                                  SSDEEP:192:hhmUJFDy/p1YqQRhDJ/OFC/7ZuBfB1wZKMZs:hhmuFDy/p17QzDJ/OFC/7ZuBfB+ZKMZs
                                                                  MD5:F7EB10DAD2FA26D92B717E267B76C447
                                                                  SHA1:84D6911094CCB1EBAEE949A08FA618674B8955D4
                                                                  SHA-256:A501096CDE6DA67B1756364FD8E8380B2FBFBF7C449D032C1EF9A957E03692CA
                                                                  SHA-512:62010D62EBAFA6CFF2C450DBC943B99F23EF43392D4D83EDBE5A6A898403ECF7C5F46D5A4CAE4A77A474E47D98B0F481CF2B78C83AC4F18F24325EDC8E8F0207
                                                                  Malicious:false
                                                                  Preview:__3_NEWPNFCT........NPDS.....!..NPMS....B...NPNE.....NPE3....."..1XXX.XXX.M.. ..._XXX?....!..}.G..... ..XXX. .. 1XXX.XXX . ._XXX.r..i..9i..Xu.< ...1XXXW1XX .,.1XXXXXXX .E..XXX,.S..... ...S..X .,.1XXXXXXX .. 1XXXXXXX,E,._XXX.i^.C.:oF...g0.y, , 1XXX.XXX, ,.,E,._XXX..0....A..{...,Eb,.XXXX,E,EbXXX....3XXX.X.X.X.X.X.X.X.X"XgX.X.XSX.X.XgX.X(X.X.X.X.X.X.XSX.X.X.X.X.X XgX.X.XSX,E, 1XXX.XXX,E,.,,b..XXXX,,,.1XXX2XXX,,..1XXXXXXX,, .1XXXXXXX,,,E.XXX.....3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,,,.,,.XXX.,,,._XXXObA.8.;..H...*).,,.XXX.,,,._XXXObA.8.;..H...*).,,b .XXX.....3X.|..3XXXX.).|XXXXXXXX$.j.XXXX.).|XXXX.......J....XXXXXXXXX.XXXV.o.XXX.XXX..XX3XXX..u.XXXXcnu,,bE.XXX.....3X.|..3X.......XXXXXXXXXXXXXXXX.).|XXXXXXXXXXXX.X_X.X.XXXXXXXXX.N.|.N.|.N.|.N.|.N.|....uuXX)QX,,b 1XXX2XXX,,b._XXX.9..o..w..#.A..,,bE.XXX....o...XX .E..XXX... .....,..S........SX .,.1XXXXXXX .. 1XXXXXXX, ..XXX., ,,b._XXX.9..o..w..#.A..,,bE.XXX&...E...XXXXXXXXXXXXXXXXXXXXXX

                                                                  C:\Users\user\AppData\Local\Temp\Quest3D0\splash.bmp

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 512 x 512 x 24, image size 786434, resolution 2834 x 2834 px/m, cbSize 786488, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):786488
                                                                  Entropy (8bit):3.8647628904940303
                                                                  Encrypted:false
                                                                  SSDEEP:1536:l3bvv1iy89vNSHiq1x0bQ8KadIH0yFrFU6AzZk4IvUHAgt02RTf+QdxUMfBd/rf9:l3bv9iyCYaKjc+vUHNhR7/DVT7
                                                                  MD5:DF8D2636B97A76831D573835DA84C9A1
                                                                  SHA1:FDB5A9AAA9A0E9BCFA0A20A47E7D13EB50344631
                                                                  SHA-256:51A2BABEA5D0CDF578F467FABAF86480E11021C145F6029F3D4708486F840BC7
                                                                  SHA-512:807C3771F07FEEC42ABF226DC3AC7F624C07B7A69088006AC22FCC2BED86371EB42C6277BE515E53479302C04F7F4F1A1C11818682ED49B450573017922A473C
                                                                  Malicious:false
                                                                  Preview:BM8.......6...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\extractData22450.tmp

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  File Type:7-zip archive data, version 0.2
                                                                  Category:dropped
                                                                  Size (bytes):44723951
                                                                  Entropy (8bit):7.999995732638711
                                                                  Encrypted:true
                                                                  SSDEEP:786432:pwlAIGBQds8jBn7Q4BJEBQ75dHQT4kkt0f1kWPfXZWM/oP2JnY3jp8bB:pwmNBGBn7hDEy75VQTD8WEMQPgY32bB
                                                                  MD5:FBE44B50E2D1A8A64DF20ED99112B78A
                                                                  SHA1:D0F8A0DAAF289BBBB4E157D579C7421A3BFF7064
                                                                  SHA-256:7C36563A38806272065B0E8A3B61CF2943E2CDFD1256325AE0FDC9C93C290B88
                                                                  SHA-512:8AF871AA64473C0D2993E42679C0FA94BCBDB4A2EFB9C8190229CC60F431DD8CF72EA2B36B91AE230C379C36E13DA80E0F7343DD9273476EDB588D4B60F40C8C
                                                                  Malicious:false
                                                                  Preview:7z..'......Nan......n.........N..e.|.G.})..GYg.............c..=......p.`..[.....[H.;......2Q......._...hl..?.7.....L.....iW..9... i[..UJ..r..W...\.G.....6._.uoL.V.2.P..6".W....\F...Q5.?Y.....6..W4....C.xI.^..V.._........Z6.\.V.s.....-G...T...'s(.]!...K.%n.`......E...'F........R...sX..]..0^.R.f.'...Fv.......l.....:BM.%,..2.g.....p.6..?..../.*Ec.tf..p...K..c....a.7.7.4...=.Y.{.3..r=..A.....y*M..0c+.=....:qv.).....z.`.....bC.....`......RQbTy.>..LV...9._....$.S.<..W0.C(~w......X.......U..,...J..Sf.3.^.d...e.b.....r.".9i.6.......\..5.z.^&...X.....7)>.D..x>.ag....tDL.4.....(..7"..6..................G........Z/....{...ku].PW*.u.....<CY|]b..3.^&".....OB.'.Z.L0j..2../.b.....5.........< F..{...:yAxp.H..N.......a......]..{...QLc.).....y...[..%...f.^...+...ih..2.O...W.....!.._...qg../.g.DN.P&.....v...f...;....w.@..P.il......RL..`d..@.5.....,.....qK6[..'.i....t.....e.I...#.............#wz.r........\..9..1.....LV@ u..=K.q.~l......~.Jl.].owy.k.

                                                                  C:\Users\user\AppData\Local\Temp\nss68C1.tmp\InstallOptions.dll

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14848
                                                                  Entropy (8bit):5.550299117674118
                                                                  Encrypted:false
                                                                  SSDEEP:192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
                                                                  MD5:325B008AEC81E5AAA57096F05D4212B5
                                                                  SHA1:27A2D89747A20305B6518438EFF5B9F57F7DF5C3
                                                                  SHA-256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
                                                                  SHA-512:18362B3AEE529A27E85CC087627ECF6E2D21196D725F499C4A185CB3A380999F43FF1833A8EBEC3F5BA1D3A113EF83185770E663854121F2D8B885790115AFDF
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L......K...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\nss68C1.tmp\UserInfo.dll

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4096
                                                                  Entropy (8bit):3.331979080664426
                                                                  Encrypted:false
                                                                  SSDEEP:48:iViF7LLM4wXqQH1wRrOpArXMVyjlZSXRN:ky7EcQHu4tVy4R
                                                                  MD5:7579ADE7AE1747A31960A228CE02E666
                                                                  SHA1:8EC8571A296737E819DCF86353A43FCF8EC63351
                                                                  SHA-256:564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
                                                                  SHA-512:A88BC56E938374C333B0E33CB72951635B5D5A98B9CB2D6785073CBCAD23BF4C0F9F69D3B7E87B46C76EB03CED9BB786844CE87656A9E3DF4CA24ACF43D7A05B
                                                                  Malicious:false
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................4..............Rich..................PE..L......K...........!......................... ...............................P...................................... "......L ..<............................@..d.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\nss68C1.tmp\ioSpecial.ini

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:Generic INItialization configuration [Field 1]
                                                                  Category:dropped
                                                                  Size (bytes):687
                                                                  Entropy (8bit):5.332522866187708
                                                                  Encrypted:false
                                                                  SSDEEP:12:lOHf9VTsAgQRvAYfmhVO4gNhBgJMcf74gNg7Ejl8s3Nkv50dgNCzDn:WTdRvAYfmhVO1CJF71Sgj1a50CIzDn
                                                                  MD5:902B2C60529A673F5E5A480D09B5DF1A
                                                                  SHA1:E84E396E41B5DE0ECD3D4F82A1E29994CF317E94
                                                                  SHA-256:9A0F3265BB457C650A385014EF68EC9766760B026614181889ADF54A33C1DFC4
                                                                  SHA-512:DAFFB81F3FF0727267E52ECAE7AA0D17627B6093E5D998348B8D60A2F0A08070C41031692F5E62ADB56276AEB8EA0539BCB3C81C41745DB3787339076AA4F3F7
                                                                  Malicious:false
                                                                  Preview:[Settings]..Rect=1044..NumFields=4..RTL=0..NextButtonText=&Finish..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nss68C1.tmp\modern-wizard.bmp..HWND=393842..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Completing the Ortelia Curator 1.3 Setup Wizard..Bottom=38..HWND=132230..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=85..Text=Ortelia Curator 1.3 has been installed on your computer.\r\n\r\nClick Finish to close this wizard...HWND=132228..[Field 4]..Type=CheckBox..Text=&Run Ortelia Curator 1.3..Left=120..Right=315..Top=90..Bottom=100..State=1..HWND=132226..

                                                                  C:\Users\user\AppData\Local\Temp\nss68C1.tmp\modern-wizard.bmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
                                                                  Category:dropped
                                                                  Size (bytes):26494
                                                                  Entropy (8bit):1.9568109962493656
                                                                  Encrypted:false
                                                                  SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
                                                                  MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                                                                  SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                                                                  SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                                                                  SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                                                                  Malicious:false
                                                                  Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                                                                  C:\Windows\HJV3R3BS.ocx

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):3120
                                                                  Entropy (8bit):0.5616156429501304
                                                                  Encrypted:false
                                                                  SSDEEP:12:g/99U6666e666666ORSRS1608B6ut6iX06S6febpwP1664:g19U6666e666666a676ut6iE6S63t664
                                                                  MD5:ED1B1DB7780C703369E38B4D4429CD58
                                                                  SHA1:D73D600FC13A25F1FA5D6B5FB1187A7F0996FD81
                                                                  SHA-256:9A88405844AC4DF5E1474925BFEE653E8D6B57EC75CE1432E873CB5E559A327A
                                                                  SHA-512:CA430145B8B3C77E899CFB51A2B39065326A756661ED3E36E5387020D19838928DF199F2D4DFBADF2568EF1B72A36AE50A0CFC9F51803B7AC506634FD7BD2292
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P...r...m...............................................................................................................................................................................................................

                                                                  C:\Windows\Logs\DirectX.log

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):23596
                                                                  Entropy (8bit):5.1572677124828505
                                                                  Encrypted:false
                                                                  SSDEEP:96:ibnkCbDbvQQXKtQLuR0atR5gb/bP/0c9Nxq3bnYnIIbBdIbh9bX8HVJGqG6pVLHH:IkDsiR/jpN4wu
                                                                  MD5:3F75616043B53DE858866DDDC3C0AA32
                                                                  SHA1:272B6DD40F1C2383D771590299434190E086F61C
                                                                  SHA-256:B01BE71F91FC0769FE7A5BE9A72FF45173CEC82FF9D2A6DA384D1E8C140A2BB7
                                                                  SHA-512:9B15B06F95823E588137AD019B6062ACC8DFDA12544C056AE3EC5D5538FD316059CE00367228E93096F3419225B06F84A5E1CE0347B1807BA86E919CD0C92B15
                                                                  Malicious:false
                                                                  Preview:05/10/24 05:10:46: DXSetup: No command line switch..05/10/24 05:10:46: DXSetup: StartWizard()..05/10/24 05:10:54: DXSetup: CDXWSetup()..05/10/24 05:10:56: DXSetup: start installation..05/10/24 05:10:56: DSETUP: DirectXSetupA(): hWnd: 00050272 dwFlags: 02010098........05/10/24 05:10:56: dsetup32: === SetupForDirectX() start ===..05/10/24 05:10:56: dsetup32: Mar 30 2011 04:38:03..05/10/24 05:10:56: dsetup32: DXSetupCommand = 0...05/10/24 05:10:56: DXSetup: DSetupCallback(): Phase = 0, Steps = 0..05/10/24 05:10:56: dsetup32: Installing on Windows 6.2.9200..05/10/24 05:10:56: dsetup32: DirectXSetupIsJapanese == 0..05/10/24 05:10:56: dsetup32: DirectXSetupIsJapanNec == 0..05/10/24 05:11:11: dsetup32: IsIA64(): not IA64...05/10/24 05:11:11: dsetup32: CLR version number = 2.0.50727....05/10/24 05:11:11: dsetup32: CLR version number = 4.0.30319....05/10/24 05:11:11: dsetup32: DXCheckTrust(): C:\PROGRA~2\ORTELI~1\DirectX\dxupdate.cab is trusted...05/10/24 05:11:11: dsetup32: GetCDXUpdate(): Ext

                                                                  C:\Windows\SysWOW64\55DRRUFD.ocx

                                                                  Download File
                                                                  Process:C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):3120
                                                                  Entropy (8bit):0.5616156429501304
                                                                  Encrypted:false
                                                                  SSDEEP:12:g/99U6666e666666ORSRS1608B6ut6iX06S6febpwP1664:g19U6666e666666a676ut6iE6S63t664
                                                                  MD5:ED1B1DB7780C703369E38B4D4429CD58
                                                                  SHA1:D73D600FC13A25F1FA5D6B5FB1187A7F0996FD81
                                                                  SHA-256:9A88405844AC4DF5E1474925BFEE653E8D6B57EC75CE1432E873CB5E559A327A
                                                                  SHA-512:CA430145B8B3C77E899CFB51A2B39065326A756661ED3E36E5387020D19838928DF199F2D4DFBADF2568EF1B72A36AE50A0CFC9F51803B7AC506634FD7BD2292
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P...r...m...............................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.999903752602207
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:CuratorStandardSetup.exe
                                                                  File size:98'839'899 bytes
                                                                  MD5:37e44e8c19fd8bc70047754346cc18e9
                                                                  SHA1:07797a9e5d5af865913c5d1147ddcfd623bd19ef
                                                                  SHA256:faf966bb5a225d91333e2915dca6294db72f54ecb98720890f53270ce4a747c9
                                                                  SHA512:dccfc3fbee5feb56ecfd1cc44d6c20dcd941147ee94993087bc4d8dd0f14b926cdde290259db2ceb0f948ab7911bf0e1bdd39c9acef1d4b7c0d02f73a930cb98
                                                                  SSDEEP:1572864:YbiXsuM65Go7v/ilWgOQGiYo0y+nn6HC2e5oUZx0cZeN7BsRIa8l7klCXAg:YWXswClSQGayn6HU7ZxtRARklCn
                                                                  TLSH:BC28333FBCCBD097DE85E8B0A08033BA34B71806865B975E715935FB60DADF091918B6
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

                                                                  File Icon

                                                                  Icon Hash:0f6361e86171138f

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4030fa
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:7fa974366048f9c551ef45714595665e

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 00000180h
                                                                  push ebx
                                                                  push ebp
                                                                  push esi
                                                                  xor ebx, ebx
                                                                  push edi
                                                                  mov dword ptr [esp+18h], ebx
                                                                  mov dword ptr [esp+10h], 00409160h
                                                                  xor esi, esi
                                                                  mov byte ptr [esp+14h], 00000020h
                                                                  call dword ptr [00407030h]
                                                                  push 00008001h
                                                                  call dword ptr [004070B0h]
                                                                  push ebx
                                                                  call dword ptr [0040727Ch]
                                                                  push 00000008h
                                                                  mov dword ptr [0042EC18h], eax
                                                                  call 00007F731CCA0536h
                                                                  mov dword ptr [0042EB64h], eax
                                                                  push ebx
                                                                  lea eax, dword ptr [esp+34h]
                                                                  push 00000160h
                                                                  push eax
                                                                  push ebx
                                                                  push 00428F98h
                                                                  call dword ptr [00407158h]
                                                                  push 00409154h
                                                                  push 0042E360h
                                                                  call 00007F731CCA01E9h
                                                                  call dword ptr [004070ACh]
                                                                  mov edi, 00434000h
                                                                  push eax
                                                                  push edi
                                                                  call 00007F731CCA01D7h
                                                                  push ebx
                                                                  call dword ptr [0040710Ch]
                                                                  cmp byte ptr [00434000h], 00000022h
                                                                  mov dword ptr [0042EB60h], eax
                                                                  mov eax, edi
                                                                  jne 00007F731CC9D94Ch
                                                                  mov byte ptr [esp+14h], 00000022h
                                                                  mov eax, 00434001h
                                                                  push dword ptr [esp+14h]
                                                                  push eax
                                                                  call 00007F731CC9FCCAh
                                                                  push eax
                                                                  call dword ptr [0040721Ch]
                                                                  mov dword ptr [esp+1Ch], eax
                                                                  jmp 00007F731CC9D9A5h
                                                                  cmp cl, 00000020h
                                                                  jne 00007F731CC9D948h
                                                                  inc eax
                                                                  cmp byte ptr [eax], 00000020h
                                                                  je 00007F731CC9D93Ch
                                                                  cmp byte ptr [eax], 00000022h
                                                                  mov byte ptr [eax+eax+00h], 00000000h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x4858.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x5c4c0x5e00856b32eb77dfd6fb67f21d6543272da5False0.6697140957446809data6.440105549497952IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x70000x129c0x1400dc77f8a1e6985a4361c55642680ddb4fFalse0.43359375data5.046835307909969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x90000x25c580x4007922d4ce117d7d5b3ac2cffe4b0b5e4fFalse0.5849609375data4.801003752715384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .ndata0x2f0000x90000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x380000x48580x4a00ccd5974887f6f69db8fc2ed2903372a9False0.17425042229729729data2.539268821016506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x383100x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4608EnglishUnited States0.33339210155148097
                                                                  RT_ICON0x399380xea8dataEnglishUnited States0.007196162046908316
                                                                  RT_ICON0x3a7e00x8a8dataEnglishUnited States0.01128158844765343
                                                                  RT_ICON0x3b0880x568dataEnglishUnited States0.014450867052023121
                                                                  RT_ICON0x3b5f00x468dataEnglishUnited States0.015957446808510637
                                                                  RT_ICON0x3ba580x2e8dataEnglishUnited States0.020161290322580645
                                                                  RT_ICON0x3bd400x128dataEnglishUnited States0.04391891891891892
                                                                  RT_DIALOG0x3be680xb4dataEnglishUnited States0.6111111111111112
                                                                  RT_DIALOG0x3bf200x120dataEnglishUnited States0.5138888888888888
                                                                  RT_DIALOG0x3c0400x202dataEnglishUnited States0.4085603112840467
                                                                  RT_DIALOG0x3c2480xf8dataEnglishUnited States0.6290322580645161
                                                                  RT_DIALOG0x3c3400xeedataEnglishUnited States0.6260504201680672
                                                                  RT_GROUP_ICON0x3c4300x68dataEnglishUnited States0.7884615384615384
                                                                  RT_MANIFEST0x3c4980x3beXML 1.0 document, ASCII text, with very long lines (958), with no line terminatorsEnglishUnited States0.5198329853862212

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                                                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  No network behavior found

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:05:10:28
                                                                  Start date:10/05/2024
                                                                  Path:C:\Users\user\Desktop\CuratorStandardSetup.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\CuratorStandardSetup.exe"
                                                                  Imagebase:0x400000
                                                                  File size:98'839'899 bytes
                                                                  MD5 hash:37E44E8C19FD8BC70047754346CC18E9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:05:10:46
                                                                  Start date:10/05/2024
                                                                  Path:C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\Ortelia Curator\tools\deactivate.exe" /OPENLF
                                                                  Imagebase:0x400000
                                                                  File size:1'810'432 bytes
                                                                  MD5 hash:0F979E7E706E1BDD0BECB0766B386C57
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 15%, Virustotal, Browse
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:05:10:46
                                                                  Start date:10/05/2024
                                                                  Path:C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\Ortelia Curator\DirectX\DXSETUP.exe"
                                                                  Imagebase:0xc30000
                                                                  File size:517'976 bytes
                                                                  MD5 hash:BF3F290275C21BDD3951955C9C3CF32C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  • Detection: 0%, Virustotal, Browse
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:05:11:11
                                                                  Start date:10/05/2024
                                                                  Path:C:\Windows\System32\SrTasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
                                                                  Imagebase:0x7ff72e740000
                                                                  File size:59'392 bytes
                                                                  MD5 hash:2694D2D28C368B921686FE567BD319EB
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:13
                                                                  Start time:05:11:11
                                                                  Start date:10/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:14
                                                                  Start time:05:11:17
                                                                  Start date:10/05/2024
                                                                  Path:C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe"
                                                                  Imagebase:0x400000
                                                                  File size:44'867'363 bytes
                                                                  MD5 hash:A920B45A4CB4B98E152C745B714A2AD8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Virustotal, Browse
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:15
                                                                  Start time:05:11:37
                                                                  Start date:10/05/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\Quest3D0\QuestViewer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:QuestViewer.exe Q3DStart.q3d
                                                                  Imagebase:0x400000
                                                                  File size:1'812'064 bytes
                                                                  MD5 hash:16E05FBD59127A172B69DBAEA52AB595
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:32%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:23.1%
                                                                    Total number of Nodes:1225
                                                                    Total number of Limit Nodes:50
                                                                    execution_graph 2720 401dc1 2721 4029f6 18 API calls 2720->2721 2722 401dc7 2721->2722 2723 4029f6 18 API calls 2722->2723 2724 401dd0 2723->2724 2725 4029f6 18 API calls 2724->2725 2726 401dd9 2725->2726 2727 4029f6 18 API calls 2726->2727 2728 401de2 2727->2728 2729 401423 25 API calls 2728->2729 2730 401de9 ShellExecuteA 2729->2730 2731 401e16 2730->2731 3572 401cc1 GetDlgItem GetClientRect 3573 4029f6 18 API calls 3572->3573 3574 401cf1 LoadImageA SendMessageA 3573->3574 3575 401d0f DeleteObject 3574->3575 3576 40288b 3574->3576 3575->3576 3577 401645 3578 4029f6 18 API calls 3577->3578 3579 40164c 3578->3579 3580 4029f6 18 API calls 3579->3580 3581 401655 3580->3581 3582 4029f6 18 API calls 3581->3582 3583 40165e MoveFileA 3582->3583 3584 401671 3583->3584 3585 40166a 3583->3585 3586 405d07 2 API calls 3584->3586 3589 402169 3584->3589 3587 401423 25 API calls 3585->3587 3588 401680 3586->3588 3587->3589 3588->3589 3590 40575a 38 API calls 3588->3590 3590->3585 3591 401ec5 3592 4029f6 18 API calls 3591->3592 3593 401ecc GetFileVersionInfoSizeA 3592->3593 3594 401eef GlobalAlloc 3593->3594 3596 401f45 3593->3596 3595 401f03 GetFileVersionInfoA 3594->3595 3594->3596 3595->3596 3597 401f14 VerQueryValueA 3595->3597 3597->3596 3598 401f2d 3597->3598 3602 40596a wsprintfA 3598->3602 3600 401f39 3603 40596a wsprintfA 3600->3603 3602->3600 3603->3596 2923 4014ca 2924 404daa 25 API calls 2923->2924 2925 4014d1 2924->2925 3604 4025cc 3605 4025d3 3604->3605 3608 402838 3604->3608 3606 4029d9 18 API calls 3605->3606 3607 4025de 3606->3607 3609 4025e5 SetFilePointer 3607->3609 3609->3608 3610 4025f5 3609->3610 3612 40596a wsprintfA 3610->3612 3612->3608 3143 401f51 3144 401f63 3143->3144 3145 402012 3143->3145 3146 4029f6 18 API calls 3144->3146 3148 401423 25 API calls 3145->3148 3147 401f6a 3146->3147 3149 4029f6 18 API calls 3147->3149 3153 402169 3148->3153 3150 401f73 3149->3150 3151 401f88 LoadLibraryExA 3150->3151 3152 401f7b GetModuleHandleA 3150->3152 3151->3145 3154 401f98 GetProcAddress 3151->3154 3152->3151 3152->3154 3155 401fe5 3154->3155 3156 401fa8 3154->3156 3157 404daa 25 API calls 3155->3157 3158 401423 25 API calls 3156->3158 3159 401fb8 3156->3159 3157->3159 3158->3159 3159->3153 3160 402006 FreeLibrary 3159->3160 3160->3153 3613 403ed2 lstrcpynA lstrlenA 3614 4014d6 3615 4029d9 18 API calls 3614->3615 3616 4014dc Sleep 3615->3616 3618 40288b 3616->3618 3624 4018d8 3625 40190f 3624->3625 3626 4029f6 18 API calls 3625->3626 3627 401914 3626->3627 3628 405331 68 API calls 3627->3628 3629 40191d 3628->3629 3630 4018db 3631 4029f6 18 API calls 3630->3631 3632 4018e2 3631->3632 3633 4052cd MessageBoxIndirectA 3632->3633 3634 4018eb 3633->3634 3635 401ae5 3636 4029f6 18 API calls 3635->3636 3637 401aec 3636->3637 3638 4029d9 18 API calls 3637->3638 3639 401af5 wsprintfA 3638->3639 3640 40288b 3639->3640 2795 402866 SendMessageA 2796 402880 InvalidateRect 2795->2796 2797 40288b 2795->2797 2796->2797 3641 4019e6 3642 4029f6 18 API calls 3641->3642 3643 4019ef ExpandEnvironmentStringsA 3642->3643 3644 401a03 3643->3644 3646 401a16 3643->3646 3645 401a08 lstrcmpA 3644->3645 3644->3646 3645->3646 2850 402267 2851 4029f6 18 API calls 2850->2851 2852 402275 2851->2852 2853 4029f6 18 API calls 2852->2853 2854 40227e 2853->2854 2855 4029f6 18 API calls 2854->2855 2856 402288 GetPrivateProfileStringA 2855->2856 2857 404ee8 2858 405094 2857->2858 2859 404f09 GetDlgItem GetDlgItem GetDlgItem 2857->2859 2861 4050c5 2858->2861 2862 40509d GetDlgItem CreateThread FindCloseChangeNotification 2858->2862 2903 403df3 SendMessageA 2859->2903 2863 4050f0 2861->2863 2865 405112 2861->2865 2866 4050dc ShowWindow ShowWindow 2861->2866 2862->2861 2909 404e7c OleInitialize 2862->2909 2867 40514e 2863->2867 2869 405101 2863->2869 2870 405127 ShowWindow 2863->2870 2864 404f7a 2872 404f81 GetClientRect GetSystemMetrics SendMessageA SendMessageA 2864->2872 2871 403e25 8 API calls 2865->2871 2905 403df3 SendMessageA 2866->2905 2867->2865 2875 405159 SendMessageA 2867->2875 2906 403d97 2869->2906 2878 405147 2870->2878 2879 405139 2870->2879 2877 405120 2871->2877 2873 404ff0 2872->2873 2874 404fd4 SendMessageA SendMessageA 2872->2874 2880 405003 2873->2880 2881 404ff5 SendMessageA 2873->2881 2874->2873 2875->2877 2882 405172 CreatePopupMenu 2875->2882 2884 403d97 SendMessageA 2878->2884 2883 404daa 25 API calls 2879->2883 2886 403dbe 19 API calls 2880->2886 2881->2880 2885 405a2e 18 API calls 2882->2885 2883->2878 2884->2867 2887 405182 AppendMenuA 2885->2887 2888 405013 2886->2888 2889 405195 GetWindowRect 2887->2889 2890 4051a8 2887->2890 2891 405050 GetDlgItem SendMessageA 2888->2891 2892 40501c ShowWindow 2888->2892 2893 4051b1 TrackPopupMenu 2889->2893 2890->2893 2891->2877 2896 405077 SendMessageA SendMessageA 2891->2896 2894 405032 ShowWindow 2892->2894 2895 40503f 2892->2895 2893->2877 2897 4051cf 2893->2897 2894->2895 2904 403df3 SendMessageA 2895->2904 2896->2877 2898 4051eb SendMessageA 2897->2898 2898->2898 2900 405208 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2898->2900 2901 40522a SendMessageA 2900->2901 2901->2901 2902 40524b GlobalUnlock SetClipboardData CloseClipboard 2901->2902 2902->2877 2903->2864 2904->2891 2905->2863 2907 403da4 SendMessageA 2906->2907 2908 403d9e 2906->2908 2907->2865 2908->2907 2916 403e0a 2909->2916 2911 404ec6 2912 403e0a SendMessageA 2911->2912 2913 404ed8 OleUninitialize 2912->2913 2915 404e9f 2915->2911 2919 401389 2915->2919 2917 403e22 2916->2917 2918 403e13 SendMessageA 2916->2918 2917->2915 2918->2917 2921 401390 2919->2921 2920 4013fe 2920->2915 2921->2920 2922 4013cb MulDiv SendMessageA 2921->2922 2922->2921 2926 4038eb 2927 403903 2926->2927 2928 403a3e 2926->2928 2927->2928 2929 40390f 2927->2929 2930 403a4f GetDlgItem GetDlgItem 2928->2930 2938 403a8f 2928->2938 2931 40391a SetWindowPos 2929->2931 2932 40392d 2929->2932 2933 403dbe 19 API calls 2930->2933 2931->2932 2935 403932 ShowWindow 2932->2935 2936 40394a 2932->2936 2937 403a79 SetClassLongA 2933->2937 2934 403ae9 2939 403e0a SendMessageA 2934->2939 2944 403a39 2934->2944 2935->2936 2940 403952 DestroyWindow 2936->2940 2941 40396c 2936->2941 2942 40140b 2 API calls 2937->2942 2938->2934 2943 401389 2 API calls 2938->2943 2966 403afb 2939->2966 2945 403d47 2940->2945 2946 403971 SetWindowLongA 2941->2946 2947 403982 2941->2947 2942->2938 2948 403ac1 2943->2948 2945->2944 2954 403d78 ShowWindow 2945->2954 2946->2944 2951 4039f9 2947->2951 2952 40398e GetDlgItem 2947->2952 2948->2934 2953 403ac5 SendMessageA 2948->2953 2949 40140b 2 API calls 2949->2966 2950 403d49 DestroyWindow KiUserCallbackDispatcher 2950->2945 2957 403e25 8 API calls 2951->2957 2955 4039a1 SendMessageA IsWindowEnabled 2952->2955 2956 4039be 2952->2956 2953->2944 2954->2944 2955->2944 2955->2956 2959 4039cb 2956->2959 2960 403a12 SendMessageA 2956->2960 2961 4039de 2956->2961 2969 4039c3 2956->2969 2957->2944 2958 405a2e 18 API calls 2958->2966 2959->2960 2959->2969 2960->2951 2964 4039e6 2961->2964 2965 4039fb 2961->2965 2962 403d97 SendMessageA 2962->2951 2963 403dbe 19 API calls 2963->2966 2997 40140b 2964->2997 2968 40140b 2 API calls 2965->2968 2966->2944 2966->2949 2966->2950 2966->2958 2966->2963 2970 403dbe 19 API calls 2966->2970 2985 403c89 KiUserCallbackDispatcher 2966->2985 2968->2969 2969->2951 2969->2962 2971 403b76 GetDlgItem 2970->2971 2972 403b93 ShowWindow KiUserCallbackDispatcher 2971->2972 2973 403b8b 2971->2973 2994 403de0 KiUserCallbackDispatcher 2972->2994 2973->2972 2975 403bbd KiUserCallbackDispatcher 2978 403bd1 2975->2978 2976 403bd6 GetSystemMenu EnableMenuItem SendMessageA 2977 403c06 SendMessageA 2976->2977 2976->2978 2977->2978 2978->2976 2995 403df3 SendMessageA 2978->2995 2996 405a0c lstrcpynA 2978->2996 2981 403c34 lstrlenA 2982 405a2e 18 API calls 2981->2982 2983 403c45 SetWindowTextA 2982->2983 2984 401389 2 API calls 2983->2984 2984->2966 2985->2945 2986 403ca3 CreateDialogParamA 2985->2986 2986->2945 2987 403cd6 2986->2987 2988 403dbe 19 API calls 2987->2988 2989 403ce1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2988->2989 2990 401389 2 API calls 2989->2990 2991 403d27 2990->2991 2991->2944 2992 403d2f ShowWindow 2991->2992 2993 403e0a SendMessageA 2992->2993 2993->2945 2994->2975 2995->2978 2996->2981 2998 401389 2 API calls 2997->2998 2999 401420 2998->2999 2999->2969 3647 401c6d 3648 4029d9 18 API calls 3647->3648 3649 401c73 IsWindow 3648->3649 3650 4019d6 3649->3650 3651 4014f0 SetForegroundWindow 3652 40288b 3651->3652 3653 402172 3654 4029f6 18 API calls 3653->3654 3655 402178 3654->3655 3656 4029f6 18 API calls 3655->3656 3657 402181 3656->3657 3658 4029f6 18 API calls 3657->3658 3659 40218a 3658->3659 3660 405d07 2 API calls 3659->3660 3661 402193 3660->3661 3662 4021a4 lstrlenA lstrlenA 3661->3662 3666 402197 3661->3666 3664 404daa 25 API calls 3662->3664 3663 404daa 25 API calls 3667 40219f 3663->3667 3665 4021e0 SHFileOperationA 3664->3665 3665->3666 3665->3667 3666->3663 3666->3667 3668 4021f4 3669 4021fb 3668->3669 3671 40220e 3668->3671 3670 405a2e 18 API calls 3669->3670 3672 402208 3670->3672 3673 4052cd MessageBoxIndirectA 3672->3673 3673->3671 3674 4046f9 GetDlgItem GetDlgItem 3675 40474d 7 API calls 3674->3675 3687 40496a 3674->3687 3676 4047f3 DeleteObject 3675->3676 3677 4047e6 SendMessageA 3675->3677 3678 4047fe 3676->3678 3677->3676 3680 404835 3678->3680 3681 405a2e 18 API calls 3678->3681 3679 404a54 3683 404b03 3679->3683 3689 40495d 3679->3689 3694 404aad SendMessageA 3679->3694 3682 403dbe 19 API calls 3680->3682 3684 404817 SendMessageA SendMessageA 3681->3684 3688 404849 3682->3688 3685 404b18 3683->3685 3686 404b0c SendMessageA 3683->3686 3684->3678 3696 404b31 3685->3696 3697 404b2a ImageList_Destroy 3685->3697 3704 404b41 3685->3704 3686->3685 3687->3679 3708 4049de 3687->3708 3727 404679 SendMessageA 3687->3727 3693 403dbe 19 API calls 3688->3693 3690 403e25 8 API calls 3689->3690 3695 404cf3 3690->3695 3691 404a46 SendMessageA 3691->3679 3709 404857 3693->3709 3694->3689 3699 404ac2 SendMessageA 3694->3699 3700 404b3a GlobalFree 3696->3700 3696->3704 3697->3696 3698 404ca7 3698->3689 3705 404cb9 ShowWindow GetDlgItem ShowWindow 3698->3705 3702 404ad5 3699->3702 3700->3704 3701 40492b GetWindowLongA SetWindowLongA 3703 404944 3701->3703 3710 404ae6 SendMessageA 3702->3710 3706 404962 3703->3706 3707 40494a ShowWindow 3703->3707 3704->3698 3716 40140b 2 API calls 3704->3716 3719 404b73 3704->3719 3705->3689 3726 403df3 SendMessageA 3706->3726 3725 403df3 SendMessageA 3707->3725 3708->3679 3708->3691 3709->3701 3712 404925 3709->3712 3715 4048a6 SendMessageA 3709->3715 3717 4048e2 SendMessageA 3709->3717 3718 4048f3 SendMessageA 3709->3718 3710->3683 3711 404bb7 3720 404c7d InvalidateRect 3711->3720 3724 404c2b SendMessageA SendMessageA 3711->3724 3712->3701 3712->3703 3715->3709 3716->3719 3717->3709 3718->3709 3719->3711 3721 404ba1 SendMessageA 3719->3721 3720->3698 3722 404c93 3720->3722 3721->3711 3723 404597 21 API calls 3722->3723 3723->3698 3724->3711 3725->3689 3726->3687 3728 4046d8 SendMessageA 3727->3728 3729 40469c GetMessagePos ScreenToClient SendMessageA 3727->3729 3730 4046d0 3728->3730 3729->3730 3731 4046d5 3729->3731 3730->3708 3731->3728 3233 4030fa #17 SetErrorMode OleInitialize 3234 405d2e 3 API calls 3233->3234 3235 40313d SHGetFileInfoA 3234->3235 3303 405a0c lstrcpynA 3235->3303 3237 403168 GetCommandLineA 3304 405a0c lstrcpynA 3237->3304 3239 40317a GetModuleHandleA 3240 403191 3239->3240 3241 40552a CharNextA 3240->3241 3242 4031a5 CharNextA 3241->3242 3247 4031b2 3242->3247 3243 40321b 3244 40322e GetTempPathA 3243->3244 3305 4030c6 3244->3305 3246 403244 3248 403268 DeleteFileA 3246->3248 3249 403248 GetWindowsDirectoryA lstrcatA 3246->3249 3247->3243 3250 40552a CharNextA 3247->3250 3254 40321d 3247->3254 3313 402c22 GetTickCount GetModuleFileNameA 3248->3313 3251 4030c6 11 API calls 3249->3251 3250->3247 3253 403264 3251->3253 3253->3248 3257 4032e6 ExitProcess OleUninitialize 3253->3257 3395 405a0c lstrcpynA 3254->3395 3255 403279 3255->3257 3258 4032d2 3255->3258 3263 40552a CharNextA 3255->3263 3259 4033e0 3257->3259 3260 4032fb 3257->3260 3341 403555 3258->3341 3261 403463 ExitProcess 3259->3261 3266 405d2e 3 API calls 3259->3266 3264 4052cd MessageBoxIndirectA 3260->3264 3269 403290 3263->3269 3265 403309 ExitProcess 3264->3265 3270 4033ef 3266->3270 3267 4032e2 3267->3257 3272 403311 lstrcatA lstrcmpiA 3269->3272 3273 4032ad 3269->3273 3271 405d2e 3 API calls 3270->3271 3274 4033f8 3271->3274 3272->3257 3275 40332d CreateDirectoryA SetCurrentDirectoryA 3272->3275 3276 4055e0 18 API calls 3273->3276 3277 405d2e 3 API calls 3274->3277 3278 403344 3275->3278 3279 40334f 3275->3279 3280 4032b8 3276->3280 3281 403401 3277->3281 3398 405a0c lstrcpynA 3278->3398 3399 405a0c lstrcpynA 3279->3399 3280->3257 3396 405a0c lstrcpynA 3280->3396 3282 40344f ExitWindowsEx 3281->3282 3287 40340f GetCurrentProcess 3281->3287 3282->3261 3286 40345c 3282->3286 3289 40140b 2 API calls 3286->3289 3292 40341f 3287->3292 3288 4032c7 3397 405a0c lstrcpynA 3288->3397 3289->3261 3291 405a2e 18 API calls 3293 40337f DeleteFileA 3291->3293 3292->3282 3294 40338c CopyFileA 3293->3294 3300 40335d 3293->3300 3294->3300 3295 4033d4 3296 40575a 38 API calls 3295->3296 3298 4033db 3296->3298 3297 40575a 38 API calls 3297->3300 3298->3257 3299 405a2e 18 API calls 3299->3300 3300->3291 3300->3295 3300->3297 3300->3299 3302 4033c0 CloseHandle 3300->3302 3400 40526c CreateProcessA 3300->3400 3302->3300 3303->3237 3304->3239 3306 405c6e 5 API calls 3305->3306 3308 4030d2 3306->3308 3307 4030dc 3307->3246 3308->3307 3309 4054ff 3 API calls 3308->3309 3310 4030e4 CreateDirectoryA 3309->3310 3311 405712 2 API calls 3310->3311 3312 4030f8 3311->3312 3312->3246 3403 4056e3 GetFileAttributesA CreateFileA 3313->3403 3315 402c62 3333 402c72 3315->3333 3404 405a0c lstrcpynA 3315->3404 3317 402c88 3318 405546 2 API calls 3317->3318 3319 402c8e 3318->3319 3405 405a0c lstrcpynA 3319->3405 3321 402c99 GetFileSize 3322 402d95 3321->3322 3335 402cb0 3321->3335 3406 402bbe 3322->3406 3324 402d9e 3326 402dce GlobalAlloc 3324->3326 3324->3333 3417 4030af SetFilePointer 3324->3417 3325 40307d ReadFile 3325->3335 3418 4030af SetFilePointer 3326->3418 3328 402e01 3330 402bbe 6 API calls 3328->3330 3330->3333 3331 402db7 3334 40307d ReadFile 3331->3334 3332 402de9 3336 402e5b 33 API calls 3332->3336 3333->3255 3337 402dc2 3334->3337 3335->3322 3335->3325 3335->3328 3335->3333 3338 402bbe 6 API calls 3335->3338 3339 402df5 3336->3339 3337->3326 3337->3333 3338->3335 3339->3333 3339->3339 3340 402e32 SetFilePointer 3339->3340 3340->3333 3342 405d2e 3 API calls 3341->3342 3343 403569 3342->3343 3344 403581 3343->3344 3345 40356f 3343->3345 3346 4058f3 3 API calls 3344->3346 3432 40596a wsprintfA 3345->3432 3347 4035a2 3346->3347 3349 4035c0 lstrcatA 3347->3349 3351 4058f3 3 API calls 3347->3351 3350 40357f 3349->3350 3423 40381e 3350->3423 3351->3349 3354 4055e0 18 API calls 3355 4035f2 3354->3355 3356 40367b 3355->3356 3358 4058f3 3 API calls 3355->3358 3357 4055e0 18 API calls 3356->3357 3359 403681 3357->3359 3360 40361e 3358->3360 3361 403691 LoadImageA 3359->3361 3362 405a2e 18 API calls 3359->3362 3360->3356 3365 40363a lstrlenA 3360->3365 3369 40552a CharNextA 3360->3369 3363 403745 3361->3363 3364 4036bc RegisterClassA 3361->3364 3362->3361 3368 40140b 2 API calls 3363->3368 3366 40374f 3364->3366 3367 4036f8 SystemParametersInfoA CreateWindowExA 3364->3367 3370 403648 lstrcmpiA 3365->3370 3371 40366e 3365->3371 3366->3267 3367->3363 3372 40374b 3368->3372 3374 403638 3369->3374 3370->3371 3375 403658 GetFileAttributesA 3370->3375 3373 4054ff 3 API calls 3371->3373 3372->3366 3376 40381e 19 API calls 3372->3376 3377 403674 3373->3377 3374->3365 3378 403664 3375->3378 3379 40375c 3376->3379 3433 405a0c lstrcpynA 3377->3433 3378->3371 3381 405546 2 API calls 3378->3381 3382 403768 ShowWindow LoadLibraryA 3379->3382 3383 4037eb 3379->3383 3381->3371 3384 403787 LoadLibraryA 3382->3384 3385 40378e GetClassInfoA 3382->3385 3386 404e7c 5 API calls 3383->3386 3384->3385 3387 4037a2 GetClassInfoA RegisterClassA 3385->3387 3388 4037b8 DialogBoxParamA 3385->3388 3389 4037f1 3386->3389 3387->3388 3390 40140b 2 API calls 3388->3390 3391 4037f5 3389->3391 3392 40380d 3389->3392 3390->3366 3391->3366 3394 40140b 2 API calls 3391->3394 3393 40140b 2 API calls 3392->3393 3393->3366 3394->3366 3395->3244 3396->3288 3397->3258 3398->3279 3399->3300 3401 4052a7 3400->3401 3402 40529b CloseHandle 3400->3402 3401->3300 3402->3401 3403->3315 3404->3317 3405->3321 3407 402bc7 3406->3407 3408 402bdf 3406->3408 3409 402bd0 DestroyWindow 3407->3409 3410 402bd7 3407->3410 3411 402be7 3408->3411 3412 402bef GetTickCount 3408->3412 3409->3410 3410->3324 3419 405d67 3411->3419 3414 402c20 3412->3414 3415 402bfd CreateDialogParamA ShowWindow 3412->3415 3414->3324 3415->3414 3417->3331 3418->3332 3420 405d84 PeekMessageA 3419->3420 3421 402bed 3420->3421 3422 405d7a DispatchMessageA 3420->3422 3421->3324 3422->3420 3424 403832 3423->3424 3434 40596a wsprintfA 3424->3434 3426 4038a3 3427 405a2e 18 API calls 3426->3427 3428 4038af SetWindowTextA 3427->3428 3429 4035d0 3428->3429 3430 4038cb 3428->3430 3429->3354 3430->3429 3431 405a2e 18 API calls 3430->3431 3431->3430 3432->3350 3433->3356 3434->3426 3732 404cfa 3733 404d08 3732->3733 3734 404d1f 3732->3734 3735 404d0e 3733->3735 3750 404d88 3733->3750 3736 404d2d IsWindowVisible 3734->3736 3740 404d44 3734->3740 3737 403e0a SendMessageA 3735->3737 3739 404d3a 3736->3739 3736->3750 3741 404d18 3737->3741 3738 404d8e CallWindowProcA 3738->3741 3742 404679 5 API calls 3739->3742 3740->3738 3751 405a0c lstrcpynA 3740->3751 3742->3740 3744 404d73 3752 40596a wsprintfA 3744->3752 3746 404d7a 3747 40140b 2 API calls 3746->3747 3748 404d81 3747->3748 3753 405a0c lstrcpynA 3748->3753 3750->3738 3751->3744 3752->3746 3753->3750 3754 4016fa 3755 4029f6 18 API calls 3754->3755 3756 401701 SearchPathA 3755->3756 3757 40171c 3756->3757 3435 40347b 3436 403493 3435->3436 3437 403485 CloseHandle 3435->3437 3442 4034c0 3436->3442 3437->3436 3440 405331 68 API calls 3441 4034a4 3440->3441 3443 4034ce 3442->3443 3444 403498 3443->3444 3445 4034d3 FreeLibrary GlobalFree 3443->3445 3444->3440 3445->3444 3445->3445 3758 4025fb 3759 402602 3758->3759 3761 40288b 3758->3761 3760 402608 FindClose 3759->3760 3760->3761 3463 4041fc 3464 40423a 3463->3464 3465 40422d 3463->3465 3467 404243 GetDlgItem 3464->3467 3473 4042b5 3464->3473 3541 4052b1 GetDlgItemTextA 3465->3541 3469 404257 3467->3469 3468 404234 3471 405c6e 5 API calls 3468->3471 3472 40426b SetWindowTextA 3469->3472 3477 405593 4 API calls 3469->3477 3470 40438a 3526 404516 3470->3526 3531 4052b1 GetDlgItemTextA 3470->3531 3471->3464 3475 403dbe 19 API calls 3472->3475 3473->3470 3478 405a2e 18 API calls 3473->3478 3473->3526 3482 404289 3475->3482 3476 403e25 8 API calls 3483 40452a 3476->3483 3484 404261 3477->3484 3480 40431c SHBrowseForFolderA 3478->3480 3479 4043b6 3481 4055e0 18 API calls 3479->3481 3480->3470 3485 404334 CoTaskMemFree 3480->3485 3486 4043bc 3481->3486 3487 403dbe 19 API calls 3482->3487 3484->3472 3490 4054ff 3 API calls 3484->3490 3488 4054ff 3 API calls 3485->3488 3532 405a0c lstrcpynA 3486->3532 3489 404297 3487->3489 3491 404341 3488->3491 3530 403df3 SendMessageA 3489->3530 3490->3472 3494 404378 SetDlgItemTextA 3491->3494 3499 405a2e 18 API calls 3491->3499 3494->3470 3495 4043d3 3497 405d2e 3 API calls 3495->3497 3496 40429f 3498 405d2e 3 API calls 3496->3498 3508 4043db 3497->3508 3500 4042a6 3498->3500 3501 404360 lstrcmpiA 3499->3501 3503 4042ae SHAutoComplete 3500->3503 3500->3526 3501->3494 3505 404371 lstrcatA 3501->3505 3502 404415 3542 405a0c lstrcpynA 3502->3542 3503->3473 3505->3494 3506 4043e8 GetDiskFreeSpaceExA 3506->3508 3516 404468 3506->3516 3507 40441e 3509 405593 4 API calls 3507->3509 3508->3502 3508->3506 3511 405546 2 API calls 3508->3511 3510 404424 3509->3510 3512 404428 3510->3512 3513 40442b GetDiskFreeSpaceA 3510->3513 3511->3508 3512->3513 3514 404480 3513->3514 3515 404446 MulDiv 3513->3515 3514->3516 3515->3516 3527 4044c5 3516->3527 3533 404597 3516->3533 3518 4044e8 3543 403de0 KiUserCallbackDispatcher 3518->3543 3519 4044b7 3521 4044c7 SetDlgItemTextA 3519->3521 3522 4044bc 3519->3522 3520 40140b 2 API calls 3520->3518 3521->3527 3525 404597 21 API calls 3522->3525 3524 404504 3524->3526 3528 404511 3524->3528 3525->3527 3526->3476 3527->3518 3527->3520 3529 404191 SendMessageA 3528->3529 3529->3526 3530->3496 3531->3479 3532->3495 3534 4045b1 3533->3534 3535 405a2e 18 API calls 3534->3535 3536 4045e6 3535->3536 3537 405a2e 18 API calls 3536->3537 3538 4045f1 3537->3538 3539 405a2e 18 API calls 3538->3539 3540 404622 lstrlenA wsprintfA SetDlgItemTextA 3539->3540 3540->3519 3541->3468 3542->3507 3543->3524 3544 40267c 3545 4029f6 18 API calls 3544->3545 3546 40268a 3545->3546 3547 4026a0 3546->3547 3548 4029f6 18 API calls 3546->3548 3549 4056c4 2 API calls 3547->3549 3548->3547 3550 4026a6 3549->3550 3570 4056e3 GetFileAttributesA CreateFileA 3550->3570 3552 4026b3 3553 40275c 3552->3553 3554 4026bf GlobalAlloc 3552->3554 3557 402764 DeleteFileA 3553->3557 3558 402777 3553->3558 3555 402753 CloseHandle 3554->3555 3556 4026d8 3554->3556 3555->3553 3571 4030af SetFilePointer 3556->3571 3557->3558 3560 4026de 3561 40307d ReadFile 3560->3561 3562 4026e7 GlobalAlloc 3561->3562 3563 4026f7 3562->3563 3564 40272b WriteFile GlobalFree 3562->3564 3565 402e5b 33 API calls 3563->3565 3566 402e5b 33 API calls 3564->3566 3569 402704 3565->3569 3567 402750 3566->3567 3567->3555 3568 402722 GlobalFree 3568->3564 3569->3568 3570->3552 3571->3560 3762 4014fe 3763 401506 3762->3763 3765 401519 3762->3765 3764 4029d9 18 API calls 3763->3764 3764->3765 3766 401000 3767 401037 BeginPaint GetClientRect 3766->3767 3769 40100c DefWindowProcA 3766->3769 3770 4010f3 3767->3770 3771 401179 3769->3771 3772 401073 CreateBrushIndirect FillRect DeleteObject 3770->3772 3773 4010fc 3770->3773 3772->3770 3774 401102 CreateFontIndirectA 3773->3774 3775 401167 EndPaint 3773->3775 3774->3775 3776 401112 6 API calls 3774->3776 3775->3771 3776->3775 2742 402303 2743 402309 2742->2743 2744 4029f6 18 API calls 2743->2744 2745 40231b 2744->2745 2746 4029f6 18 API calls 2745->2746 2747 402325 RegCreateKeyExA 2746->2747 2748 40288b 2747->2748 2749 40234f 2747->2749 2750 402367 2749->2750 2751 4029f6 18 API calls 2749->2751 2755 402373 2750->2755 2759 4029d9 2750->2759 2752 402360 lstrlenA 2751->2752 2752->2750 2754 40238e RegSetValueExA 2757 4023a4 RegCloseKey 2754->2757 2755->2754 2762 402e5b 2755->2762 2757->2748 2760 405a2e 18 API calls 2759->2760 2761 4029ed 2760->2761 2761->2755 2763 402e71 2762->2763 2764 402e9f 2763->2764 2784 4030af SetFilePointer 2763->2784 2782 40307d ReadFile 2764->2782 2768 402ffc 2768->2754 2769 403011 2771 403015 2769->2771 2772 40302d 2769->2772 2770 402ebc GetTickCount 2770->2768 2775 402f0b 2770->2775 2774 40307d ReadFile 2771->2774 2772->2768 2776 40307d ReadFile 2772->2776 2777 403048 WriteFile 2772->2777 2773 40307d ReadFile 2773->2775 2774->2768 2775->2768 2775->2773 2778 402f61 GetTickCount 2775->2778 2779 402f86 MulDiv wsprintfA 2775->2779 2780 402fc4 WriteFile 2775->2780 2776->2772 2777->2768 2777->2772 2778->2775 2781 404daa 25 API calls 2779->2781 2780->2768 2780->2775 2781->2775 2783 402eaa 2782->2783 2783->2768 2783->2769 2783->2770 2784->2764 3777 402803 3778 4029d9 18 API calls 3777->3778 3779 402809 3778->3779 3780 40283a 3779->3780 3781 40265c 3779->3781 3783 402817 3779->3783 3780->3781 3782 405a2e 18 API calls 3780->3782 3782->3781 3783->3781 3785 40596a wsprintfA 3783->3785 3785->3781 2798 403f06 2799 403f1c 2798->2799 2801 404029 2798->2801 2827 403dbe 2799->2827 2800 404098 2802 40416c 2800->2802 2804 4040a2 GetDlgItem 2800->2804 2801->2800 2801->2802 2808 40406d GetDlgItem SendMessageA 2801->2808 2836 403e25 2802->2836 2806 4040b8 2804->2806 2807 40412a 2804->2807 2805 403f72 2810 403dbe 19 API calls 2805->2810 2806->2807 2814 4040de 6 API calls 2806->2814 2807->2802 2815 40413c 2807->2815 2832 403de0 KiUserCallbackDispatcher 2808->2832 2813 403f7f CheckDlgButton 2810->2813 2812 404167 2830 403de0 KiUserCallbackDispatcher 2813->2830 2814->2807 2818 404142 SendMessageA 2815->2818 2819 404153 2815->2819 2816 404093 2833 404191 2816->2833 2818->2819 2819->2812 2820 404159 SendMessageA 2819->2820 2820->2812 2822 403f9d GetDlgItem 2831 403df3 SendMessageA 2822->2831 2824 403fb3 SendMessageA 2825 403fd1 GetSysColor 2824->2825 2826 403fda SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 2824->2826 2825->2826 2826->2812 2828 405a2e 18 API calls 2827->2828 2829 403dc9 SetDlgItemTextA 2828->2829 2829->2805 2830->2822 2831->2824 2832->2816 2834 4041a4 SendMessageA 2833->2834 2835 40419f 2833->2835 2834->2800 2835->2834 2837 403ec6 2836->2837 2838 403e3d GetWindowLongA 2836->2838 2837->2812 2838->2837 2839 403e4e 2838->2839 2840 403e60 2839->2840 2841 403e5d GetSysColor 2839->2841 2842 403e70 SetBkMode 2840->2842 2843 403e66 SetTextColor 2840->2843 2841->2840 2844 403e88 GetSysColor 2842->2844 2845 403e8e 2842->2845 2843->2842 2844->2845 2846 403e95 SetBkColor 2845->2846 2847 403e9f 2845->2847 2846->2847 2847->2837 2848 403eb2 DeleteObject 2847->2848 2849 403eb9 CreateBrushIndirect 2847->2849 2848->2849 2849->2837 3786 401b06 3787 401b13 3786->3787 3788 401b57 3786->3788 3791 4021fb 3787->3791 3796 401b2a 3787->3796 3789 401b80 GlobalAlloc 3788->3789 3790 401b5b 3788->3790 3792 405a2e 18 API calls 3789->3792 3799 401b9b 3790->3799 3807 405a0c lstrcpynA 3790->3807 3793 405a2e 18 API calls 3791->3793 3792->3799 3795 402208 3793->3795 3800 4052cd MessageBoxIndirectA 3795->3800 3805 405a0c lstrcpynA 3796->3805 3797 401b6d GlobalFree 3797->3799 3800->3799 3801 401b39 3806 405a0c lstrcpynA 3801->3806 3803 401b48 3808 405a0c lstrcpynA 3803->3808 3805->3801 3806->3803 3807->3797 3808->3799 3809 402506 3810 4029d9 18 API calls 3809->3810 3813 402510 3810->3813 3811 402586 3812 402544 ReadFile 3812->3811 3812->3813 3813->3811 3813->3812 3814 402588 3813->3814 3817 402598 3813->3817 3818 40596a wsprintfA 3814->3818 3816 4025ae SetFilePointer 3816->3811 3817->3811 3817->3816 3818->3811 3819 401c8a 3820 4029d9 18 API calls 3819->3820 3821 401c91 3820->3821 3822 4029d9 18 API calls 3821->3822 3823 401c99 GetDlgItem 3822->3823 3824 4024b8 3823->3824 3000 40190d 3001 40190f 3000->3001 3002 4029f6 18 API calls 3001->3002 3003 401914 3002->3003 3006 405331 3003->3006 3047 4055e0 3006->3047 3009 405365 3012 40549a 3009->3012 3061 405a0c lstrcpynA 3009->3061 3010 40534e DeleteFileA 3011 40191d 3010->3011 3012->3011 3066 405d07 FindFirstFileA 3012->3066 3014 40538f 3015 4053a0 3014->3015 3016 405393 lstrcatA 3014->3016 3072 405546 lstrlenA 3015->3072 3017 4053a6 3016->3017 3021 4053b4 lstrcatA 3017->3021 3022 4053bf lstrlenA FindFirstFileA 3017->3022 3021->3022 3022->3012 3030 4053e3 3022->3030 3025 40552a CharNextA 3025->3030 3026 4056c4 2 API calls 3027 4054cf RemoveDirectoryA 3026->3027 3028 4054f1 3027->3028 3029 4054da 3027->3029 3034 404daa 25 API calls 3028->3034 3029->3011 3033 4054e0 3029->3033 3030->3025 3031 405479 FindNextFileA 3030->3031 3040 405331 59 API calls 3030->3040 3043 404daa 25 API calls 3030->3043 3046 405457 3030->3046 3062 405a0c lstrcpynA 3030->3062 3063 4056c4 GetFileAttributesA 3030->3063 3031->3030 3035 405491 FindClose 3031->3035 3036 404daa 25 API calls 3033->3036 3034->3011 3035->3012 3037 4054e8 3036->3037 3038 40575a 38 API calls 3037->3038 3041 4054ef 3038->3041 3040->3030 3041->3011 3043->3031 3044 404daa 25 API calls 3044->3046 3046->3031 3046->3044 3076 40575a 3046->3076 3102 405a0c lstrcpynA 3047->3102 3049 4055f1 3103 405593 CharNextA CharNextA 3049->3103 3052 405345 3052->3009 3052->3010 3053 405c6e 5 API calls 3059 405607 3053->3059 3054 405632 lstrlenA 3055 40563d 3054->3055 3054->3059 3057 4054ff 3 API calls 3055->3057 3056 405d07 2 API calls 3056->3059 3058 405642 GetFileAttributesA 3057->3058 3058->3052 3059->3052 3059->3054 3059->3056 3060 405546 2 API calls 3059->3060 3060->3054 3061->3014 3062->3030 3064 405446 DeleteFileA 3063->3064 3065 4056d3 SetFileAttributesA 3063->3065 3064->3030 3065->3064 3067 4054bf 3066->3067 3068 405d1d FindClose 3066->3068 3067->3011 3069 4054ff lstrlenA CharPrevA 3067->3069 3068->3067 3070 4054c9 3069->3070 3071 405519 lstrcatA 3069->3071 3070->3026 3071->3070 3073 405553 3072->3073 3074 405564 3073->3074 3075 405558 CharPrevA 3073->3075 3074->3017 3075->3073 3075->3074 3109 405d2e GetModuleHandleA 3076->3109 3079 4057c2 GetShortPathNameA 3081 4057d7 3079->3081 3082 4058b7 3079->3082 3081->3082 3084 4057df wsprintfA 3081->3084 3082->3046 3083 4057a6 CloseHandle GetShortPathNameA 3083->3082 3085 4057ba 3083->3085 3086 405a2e 18 API calls 3084->3086 3085->3079 3085->3082 3087 405807 3086->3087 3114 4056e3 GetFileAttributesA CreateFileA 3087->3114 3089 405814 3089->3082 3090 405823 GetFileSize GlobalAlloc 3089->3090 3091 4058b0 CloseHandle 3090->3091 3092 405841 ReadFile 3090->3092 3091->3082 3092->3091 3093 405855 3092->3093 3093->3091 3115 405658 lstrlenA 3093->3115 3096 4058c4 3099 405658 4 API calls 3096->3099 3097 40586a 3120 405a0c lstrcpynA 3097->3120 3100 405878 3099->3100 3101 40588b SetFilePointer WriteFile GlobalFree 3100->3101 3101->3091 3102->3049 3104 4055ad 3103->3104 3108 4055b9 3103->3108 3105 4055b4 CharNextA 3104->3105 3104->3108 3106 4055d6 3105->3106 3106->3052 3106->3053 3107 40552a CharNextA 3107->3108 3108->3106 3108->3107 3110 405d55 GetProcAddress 3109->3110 3111 405d4a LoadLibraryA 3109->3111 3112 405765 3110->3112 3111->3110 3111->3112 3112->3079 3112->3082 3113 4056e3 GetFileAttributesA CreateFileA 3112->3113 3113->3083 3114->3089 3116 40568e lstrlenA 3115->3116 3117 405698 3116->3117 3118 40566c lstrcmpiA 3116->3118 3117->3096 3117->3097 3118->3117 3119 405685 CharNextA 3118->3119 3119->3116 3120->3100 3825 403513 3826 40351e 3825->3826 3827 403522 3826->3827 3828 403525 GlobalAlloc 3826->3828 3828->3827 3225 401d95 3226 4029d9 18 API calls 3225->3226 3227 401d9b 3226->3227 3228 4029d9 18 API calls 3227->3228 3229 401da4 3228->3229 3230 401db6 EnableWindow 3229->3230 3231 401dab ShowWindow 3229->3231 3232 40288b 3230->3232 3231->3232 3829 402615 3830 402618 3829->3830 3831 402630 3829->3831 3832 402625 FindNextFileA 3830->3832 3832->3831 3833 40266f 3832->3833 3835 405a0c lstrcpynA 3833->3835 3835->3831 3836 401595 3837 4029f6 18 API calls 3836->3837 3838 40159c SetFileAttributesA 3837->3838 3839 4015ae 3838->3839 3840 401e95 3841 4029f6 18 API calls 3840->3841 3842 401e9c 3841->3842 3843 405d07 2 API calls 3842->3843 3844 401ea2 3843->3844 3846 401eb4 3844->3846 3847 40596a wsprintfA 3844->3847 3847->3846 3848 401696 3849 4029f6 18 API calls 3848->3849 3850 40169c GetFullPathNameA 3849->3850 3851 4016d4 3850->3851 3852 4016b3 3850->3852 3853 4016e8 GetShortPathNameA 3851->3853 3854 40288b 3851->3854 3852->3851 3855 405d07 2 API calls 3852->3855 3853->3854 3856 4016c4 3855->3856 3856->3851 3858 405a0c lstrcpynA 3856->3858 3858->3851 3446 401e1b 3447 4029f6 18 API calls 3446->3447 3448 401e21 3447->3448 3449 404daa 25 API calls 3448->3449 3450 401e2b 3449->3450 3451 40526c 2 API calls 3450->3451 3455 401e31 3451->3455 3452 401e87 CloseHandle 3454 40265c 3452->3454 3453 401e50 WaitForSingleObject 3453->3455 3456 401e5e GetExitCodeProcess 3453->3456 3455->3452 3455->3453 3455->3454 3457 405d67 2 API calls 3455->3457 3458 401e70 3456->3458 3459 401e7b 3456->3459 3457->3453 3462 40596a wsprintfA 3458->3462 3459->3452 3460 401e79 3459->3460 3460->3452 3462->3460 3859 401d1b GetDC GetDeviceCaps 3860 4029d9 18 API calls 3859->3860 3861 401d37 MulDiv 3860->3861 3862 4029d9 18 API calls 3861->3862 3863 401d4c 3862->3863 3864 405a2e 18 API calls 3863->3864 3865 401d85 CreateFontIndirectA 3864->3865 3866 4024b8 3865->3866 3867 40249c 3868 4029f6 18 API calls 3867->3868 3869 4024a3 3868->3869 3872 4056e3 GetFileAttributesA CreateFileA 3869->3872 3871 4024af 3872->3871 2643 402020 2661 4029f6 2643->2661 2646 4029f6 18 API calls 2647 402031 2646->2647 2648 4029f6 18 API calls 2647->2648 2649 40203a 2648->2649 2650 4029f6 18 API calls 2649->2650 2651 402044 2650->2651 2652 4029f6 18 API calls 2651->2652 2654 40204e 2652->2654 2653 402062 CoCreateInstance 2658 402081 2653->2658 2659 402137 2653->2659 2654->2653 2655 4029f6 18 API calls 2654->2655 2655->2653 2657 402169 2658->2659 2660 402116 MultiByteToWideChar 2658->2660 2659->2657 2667 401423 2659->2667 2660->2659 2662 402a02 2661->2662 2670 405a2e 2662->2670 2665 402027 2665->2646 2709 404daa 2667->2709 2679 405a3b 2670->2679 2671 405c55 2672 402a23 2671->2672 2704 405a0c lstrcpynA 2671->2704 2672->2665 2688 405c6e 2672->2688 2674 405ad3 GetVersion 2674->2679 2675 405c2c lstrlenA 2675->2679 2678 405a2e 10 API calls 2678->2675 2679->2671 2679->2674 2679->2675 2679->2678 2680 405b4b GetSystemDirectoryA 2679->2680 2682 405b5e GetWindowsDirectoryA 2679->2682 2683 405c6e 5 API calls 2679->2683 2684 405bd5 lstrcatA 2679->2684 2685 405b92 SHGetSpecialFolderLocation 2679->2685 2686 405a2e 10 API calls 2679->2686 2697 4058f3 RegOpenKeyExA 2679->2697 2702 40596a wsprintfA 2679->2702 2703 405a0c lstrcpynA 2679->2703 2680->2679 2682->2679 2683->2679 2684->2679 2685->2679 2687 405baa SHGetPathFromIDListA CoTaskMemFree 2685->2687 2686->2679 2687->2679 2694 405c7a 2688->2694 2689 405ce2 2690 405ce6 CharPrevA 2689->2690 2693 405d01 2689->2693 2690->2689 2691 405cd7 CharNextA 2691->2689 2691->2694 2693->2665 2694->2689 2694->2691 2695 405cc5 CharNextA 2694->2695 2696 405cd2 CharNextA 2694->2696 2705 40552a 2694->2705 2695->2694 2696->2691 2698 405964 2697->2698 2699 405926 RegQueryValueExA 2697->2699 2698->2679 2700 405947 RegCloseKey 2699->2700 2700->2698 2702->2679 2703->2679 2704->2672 2706 405530 2705->2706 2707 405543 2706->2707 2708 405536 CharNextA 2706->2708 2707->2694 2708->2706 2710 401431 2709->2710 2711 404dc5 2709->2711 2710->2657 2712 404de2 lstrlenA 2711->2712 2713 405a2e 18 API calls 2711->2713 2714 404df0 lstrlenA 2712->2714 2715 404e0b 2712->2715 2713->2712 2714->2710 2716 404e02 lstrcatA 2714->2716 2717 404e11 SetWindowTextA 2715->2717 2718 404e1e 2715->2718 2716->2715 2717->2718 2718->2710 2719 404e24 SendMessageA SendMessageA SendMessageA 2718->2719 2719->2710 2732 401721 2733 4029f6 18 API calls 2732->2733 2734 401728 2733->2734 2738 405712 2734->2738 2736 40172f 2737 405712 2 API calls 2736->2737 2737->2736 2739 40571d GetTickCount GetTempFileNameA 2738->2739 2740 40574d 2739->2740 2741 405749 2739->2741 2740->2736 2741->2739 2741->2740 3873 401922 3874 4029f6 18 API calls 3873->3874 3875 401929 lstrlenA 3874->3875 3876 4024b8 3875->3876 2785 402223 2786 40222b 2785->2786 2789 402231 2785->2789 2787 4029f6 18 API calls 2786->2787 2787->2789 2788 402241 2791 40224f 2788->2791 2793 4029f6 18 API calls 2788->2793 2789->2788 2790 4029f6 18 API calls 2789->2790 2790->2788 2792 4029f6 18 API calls 2791->2792 2794 402258 WritePrivateProfileStringA 2792->2794 2793->2791 3877 401ca5 3878 4029d9 18 API calls 3877->3878 3879 401cb5 SetWindowLongA 3878->3879 3880 40288b 3879->3880 3881 401a26 3882 4029d9 18 API calls 3881->3882 3883 401a2c 3882->3883 3884 4029d9 18 API calls 3883->3884 3885 4019d6 3884->3885 3886 402427 3896 402b00 3886->3896 3888 402431 3889 4029d9 18 API calls 3888->3889 3890 40243a 3889->3890 3891 402451 RegEnumKeyA 3890->3891 3892 40245d RegEnumValueA 3890->3892 3894 40265c 3890->3894 3893 402476 RegCloseKey 3891->3893 3892->3893 3892->3894 3893->3894 3897 4029f6 18 API calls 3896->3897 3898 402b19 3897->3898 3899 402b27 RegOpenKeyExA 3898->3899 3899->3888 3900 4022a7 3901 4022d7 3900->3901 3902 4022ac 3900->3902 3903 4029f6 18 API calls 3901->3903 3904 402b00 19 API calls 3902->3904 3906 4022de 3903->3906 3905 4022b3 3904->3905 3907 4029f6 18 API calls 3905->3907 3910 4022f4 3905->3910 3911 402a36 RegOpenKeyExA 3906->3911 3908 4022c4 RegDeleteValueA RegCloseKey 3907->3908 3908->3910 3917 402a61 3911->3917 3919 402aad 3911->3919 3912 402a87 RegEnumKeyA 3913 402a99 RegCloseKey 3912->3913 3912->3917 3914 405d2e 3 API calls 3913->3914 3918 402aa9 3914->3918 3915 402abe RegCloseKey 3915->3919 3916 402a36 3 API calls 3916->3917 3917->3912 3917->3913 3917->3915 3917->3916 3918->3919 3920 402ad9 RegDeleteKeyA 3918->3920 3919->3910 3920->3919 3121 401bad 3122 4029d9 18 API calls 3121->3122 3123 401bb4 3122->3123 3124 4029d9 18 API calls 3123->3124 3125 401bbe 3124->3125 3126 401bce 3125->3126 3127 4029f6 18 API calls 3125->3127 3128 401bde 3126->3128 3129 4029f6 18 API calls 3126->3129 3127->3126 3130 401be9 3128->3130 3131 401c2d 3128->3131 3129->3128 3133 4029d9 18 API calls 3130->3133 3132 4029f6 18 API calls 3131->3132 3134 401c32 3132->3134 3135 401bee 3133->3135 3136 4029f6 18 API calls 3134->3136 3137 4029d9 18 API calls 3135->3137 3138 401c3b FindWindowExA 3136->3138 3139 401bf7 3137->3139 3142 401c59 3138->3142 3140 401c1d SendMessageA 3139->3140 3141 401bff SendMessageTimeoutA 3139->3141 3140->3142 3141->3142 3921 4023af 3922 402b00 19 API calls 3921->3922 3923 4023b9 3922->3923 3924 4029f6 18 API calls 3923->3924 3925 4023c2 3924->3925 3926 40265c 3925->3926 3927 4023cc RegQueryValueExA 3925->3927 3928 4023ec 3927->3928 3929 4023f2 RegCloseKey 3927->3929 3928->3929 3932 40596a wsprintfA 3928->3932 3929->3926 3932->3929 3933 404531 3934 404541 3933->3934 3935 40455d 3933->3935 3944 4052b1 GetDlgItemTextA 3934->3944 3937 404590 3935->3937 3938 404563 SHGetPathFromIDListA 3935->3938 3940 40457a SendMessageA 3938->3940 3941 404573 3938->3941 3939 40454e SendMessageA 3939->3935 3940->3937 3942 40140b 2 API calls 3941->3942 3942->3940 3944->3939 3161 4015b3 3162 4029f6 18 API calls 3161->3162 3163 4015ba 3162->3163 3164 405593 4 API calls 3163->3164 3175 4015c2 3164->3175 3165 40160a 3166 40162d 3165->3166 3167 40160f 3165->3167 3173 401423 25 API calls 3166->3173 3169 401423 25 API calls 3167->3169 3168 40552a CharNextA 3170 4015d0 CreateDirectoryA 3168->3170 3172 401616 3169->3172 3171 4015e5 GetLastError 3170->3171 3170->3175 3174 4015f2 GetFileAttributesA 3171->3174 3171->3175 3179 405a0c lstrcpynA 3172->3179 3178 402169 3173->3178 3174->3175 3175->3165 3175->3168 3177 401621 SetCurrentDirectoryA 3177->3178 3179->3177 3180 401734 3181 4029f6 18 API calls 3180->3181 3182 40173b 3181->3182 3183 401761 3182->3183 3184 401759 3182->3184 3220 405a0c lstrcpynA 3183->3220 3219 405a0c lstrcpynA 3184->3219 3187 40175f 3191 405c6e 5 API calls 3187->3191 3188 40176c 3189 4054ff 3 API calls 3188->3189 3190 401772 lstrcatA 3189->3190 3190->3187 3195 40177e 3191->3195 3192 405d07 2 API calls 3192->3195 3193 4056c4 2 API calls 3193->3195 3195->3192 3195->3193 3196 401795 CompareFileTime 3195->3196 3197 401859 3195->3197 3205 405a2e 18 API calls 3195->3205 3208 405a0c lstrcpynA 3195->3208 3216 401830 3195->3216 3218 4056e3 GetFileAttributesA CreateFileA 3195->3218 3221 4052cd 3195->3221 3196->3195 3198 404daa 25 API calls 3197->3198 3200 401863 3198->3200 3199 404daa 25 API calls 3206 401845 3199->3206 3201 402e5b 33 API calls 3200->3201 3202 401876 3201->3202 3203 40188a SetFileTime 3202->3203 3204 40189c FindCloseChangeNotification 3202->3204 3203->3204 3204->3206 3207 4018ad 3204->3207 3205->3195 3209 4018b2 3207->3209 3210 4018c5 3207->3210 3208->3195 3211 405a2e 18 API calls 3209->3211 3212 405a2e 18 API calls 3210->3212 3214 4018ba lstrcatA 3211->3214 3215 4018cd 3212->3215 3214->3215 3217 4052cd MessageBoxIndirectA 3215->3217 3216->3199 3216->3206 3217->3206 3218->3195 3219->3187 3220->3188 3222 4052e2 3221->3222 3223 40532e 3222->3223 3224 4052f6 MessageBoxIndirectA 3222->3224 3223->3195 3224->3223 3945 401634 3946 4029f6 18 API calls 3945->3946 3947 40163a 3946->3947 3948 405d07 2 API calls 3947->3948 3949 401640 3948->3949 3950 401934 3951 4029d9 18 API calls 3950->3951 3952 40193b 3951->3952 3953 4029d9 18 API calls 3952->3953 3954 401945 3953->3954 3955 4029f6 18 API calls 3954->3955 3956 40194e 3955->3956 3957 401961 lstrlenA 3956->3957 3960 40199c 3956->3960 3958 40196b 3957->3958 3958->3960 3963 405a0c lstrcpynA 3958->3963 3961 401985 3961->3960 3962 401992 lstrlenA 3961->3962 3962->3960 3963->3961 3964 4041b5 3965 4041c5 3964->3965 3966 4041eb 3964->3966 3968 403dbe 19 API calls 3965->3968 3967 403e25 8 API calls 3966->3967 3969 4041f7 3967->3969 3970 4041d2 SetDlgItemTextA 3968->3970 3970->3966 3971 4019b5 3972 4029f6 18 API calls 3971->3972 3973 4019bc 3972->3973 3974 4029f6 18 API calls 3973->3974 3975 4019c5 3974->3975 3976 4019cc lstrcmpiA 3975->3976 3977 4019de lstrcmpA 3975->3977 3978 4019d2 3976->3978 3977->3978 3979 4014b7 3980 4014bd 3979->3980 3981 401389 2 API calls 3980->3981 3982 4014c5 3981->3982 3983 402b3b 3984 402b4a SetTimer 3983->3984 3986 402b63 3983->3986 3984->3986 3985 402bb8 3986->3985 3987 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3986->3987 3987->3985 3988 40263e 3989 4029f6 18 API calls 3988->3989 3990 402645 FindFirstFileA 3989->3990 3991 402668 3990->3991 3992 402658 3990->3992 3993 40266f 3991->3993 3996 40596a wsprintfA 3991->3996 3997 405a0c lstrcpynA 3993->3997 3996->3993 3997->3992 3998 4024be 3999 4024c3 3998->3999 4000 4024d4 3998->4000 4002 4029d9 18 API calls 3999->4002 4001 4029f6 18 API calls 4000->4001 4003 4024db lstrlenA 4001->4003 4004 4024ca 4002->4004 4003->4004 4005 40265c 4004->4005 4006 4024fa WriteFile 4004->4006 4006->4005

                                                                    Executed Functions

                                                                    Function 004030FA Relevance: 73.8, APIs: 24, Strings: 18, Instructions: 270filestringcomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 4030fa-40318f #17 SetErrorMode OleInitialize call 405d2e SHGetFileInfoA call 405a0c GetCommandLineA call 405a0c GetModuleHandleA 7 403191-403196 0->7 8 40319b-4031b0 call 40552a CharNextA 0->8 7->8 11 403215-403219 8->11 12 4031b2-4031b5 11->12 13 40321b 11->13 14 4031b7-4031bb 12->14 15 4031bd-4031c5 12->15 16 40322e-403246 GetTempPathA call 4030c6 13->16 14->14 14->15 17 4031c7-4031c8 15->17 18 4031cd-4031d0 15->18 25 403268-40327f DeleteFileA call 402c22 16->25 26 403248-403266 GetWindowsDirectoryA lstrcatA call 4030c6 16->26 17->18 20 4031d2-4031d6 18->20 21 403205-403212 call 40552a 18->21 23 4031e6-4031ec 20->23 24 4031d8-4031e1 20->24 21->11 38 403214 21->38 30 4031fc-403203 23->30 31 4031ee-4031f7 23->31 24->23 28 4031e3 24->28 40 4032e6-4032f5 ExitProcess OleUninitialize 25->40 41 403281-403287 25->41 26->25 26->40 28->23 30->21 36 40321d-403229 call 405a0c 30->36 31->30 35 4031f9 31->35 35->30 36->16 38->11 44 4033e0-4033e6 40->44 45 4032fb-40330b call 4052cd ExitProcess 40->45 42 4032d6-4032dd call 403555 41->42 43 403289-403292 call 40552a 41->43 53 4032e2 42->53 58 40329d-40329f 43->58 46 403463-40346b 44->46 47 4033e8-403405 call 405d2e * 3 44->47 54 403471-403475 ExitProcess 46->54 55 40346d 46->55 73 403407-403409 47->73 74 40344f-40345a ExitWindowsEx 47->74 53->40 55->54 59 4032a1-4032ab 58->59 60 403294-40329a 58->60 62 403311-40332b lstrcatA lstrcmpiA 59->62 63 4032ad-4032ba call 4055e0 59->63 60->59 65 40329c 60->65 62->40 66 40332d-403342 CreateDirectoryA SetCurrentDirectoryA 62->66 63->40 76 4032bc-4032d2 call 405a0c * 2 63->76 65->58 69 403344-40334a call 405a0c 66->69 70 40334f-403369 call 405a0c 66->70 69->70 84 40336e-40338a call 405a2e DeleteFileA 70->84 73->74 78 40340b-40340d 73->78 74->46 81 40345c-40345e call 40140b 74->81 76->42 78->74 82 40340f-403421 GetCurrentProcess 78->82 81->46 82->74 91 403423-403445 82->91 92 4033cb-4033d2 84->92 93 40338c-40339c CopyFileA 84->93 91->74 92->84 94 4033d4-4033db call 40575a 92->94 93->92 95 40339e-4033be call 40575a call 405a2e call 40526c 93->95 94->40 95->92 105 4033c0-4033c7 CloseHandle 95->105 105->92
                                                                    APIs
                                                                    • #17.COMCTL32 ref: 00403119
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403124
                                                                    • OleInitialize.OLE32(00000000), ref: 0040312B
                                                                      • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                      • Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                      • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                                    • SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153
                                                                      • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Ortelia Curator 1.3 Setup,NSIS Error), ref: 00405A19
                                                                    • GetCommandLineA.KERNEL32(Ortelia Curator 1.3 Setup,NSIS Error), ref: 00403168
                                                                    • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 0040317B
                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000020), ref: 004031A6
                                                                    • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
                                                                    • DeleteFileA.KERNELBASE(1033), ref: 0040326D
                                                                    • ExitProcess.KERNEL32(00000000), ref: 004032E6
                                                                    • OleUninitialize.OLE32(00000000), ref: 004032EB
                                                                    • ExitProcess.KERNEL32 ref: 0040330B
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000,00000000), ref: 00403317
                                                                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403323
                                                                    • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
                                                                    • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
                                                                    • DeleteFileA.KERNEL32(00428B98,00428B98,?,Admin,?), ref: 00403380
                                                                    • CopyFileA.KERNEL32(C:\Users\user\Desktop\CuratorStandardSetup.exe,00428B98,00000001), ref: 00403394
                                                                    • CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
                                                                    • ExitProcess.KERNEL32 ref: 00403475
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                    • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\CuratorStandardSetup.exe"$1033$Admin$C:\Program Files (x86)\Ortelia Curator$C:\Program Files (x86)\Ortelia Curator$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CuratorStandardSetup.exe$Error launching installer$NCRC$NSIS Error$Ortelia Curator 1.3 Setup$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                    • API String ID: 553446912-3972126633
                                                                    • Opcode ID: bc21a35b1e9231f7bec46e6e88124fc85166ca33d166fd8d5befcdc374f0fec4
                                                                    • Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
                                                                    • Opcode Fuzzy Hash: bc21a35b1e9231f7bec46e6e88124fc85166ca33d166fd8d5befcdc374f0fec4
                                                                    • Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E
                                                                    Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 106 404ee8-404f03 107 405094-40509b 106->107 108 404f09-404fd2 GetDlgItem * 3 call 403df3 call 40464c GetClientRect GetSystemMetrics SendMessageA * 2 106->108 110 4050c5-4050d2 107->110 111 40509d-4050bf GetDlgItem CreateThread FindCloseChangeNotification 107->111 126 404ff0-404ff3 108->126 127 404fd4-404fee SendMessageA * 2 108->127 112 4050f0-4050f7 110->112 113 4050d4-4050da 110->113 111->110 117 4050f9-4050ff 112->117 118 40514e-405152 112->118 115 405112-40511b call 403e25 113->115 116 4050dc-4050eb ShowWindow * 2 call 403df3 113->116 130 405120-405124 115->130 116->112 122 405101-40510d call 403d97 117->122 123 405127-405137 ShowWindow 117->123 118->115 120 405154-405157 118->120 120->115 128 405159-40516c SendMessageA 120->128 122->115 131 405147-405149 call 403d97 123->131 132 405139-405142 call 404daa 123->132 133 405003-40501a call 403dbe 126->133 134 404ff5-405001 SendMessageA 126->134 127->126 135 405172-405193 CreatePopupMenu call 405a2e AppendMenuA 128->135 136 405265-405267 128->136 131->118 132->131 145 405050-405071 GetDlgItem SendMessageA 133->145 146 40501c-405030 ShowWindow 133->146 134->133 143 405195-4051a6 GetWindowRect 135->143 144 4051a8-4051ae 135->144 136->130 147 4051b1-4051c9 TrackPopupMenu 143->147 144->147 145->136 150 405077-40508f SendMessageA * 2 145->150 148 405032-40503d ShowWindow 146->148 149 40503f 146->149 147->136 151 4051cf-4051e6 147->151 152 405045-40504b call 403df3 148->152 149->152 150->136 153 4051eb-405206 SendMessageA 151->153 152->145 153->153 155 405208-405228 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 153->155 156 40522a-405249 SendMessageA 155->156 156->156 157 40524b-40525f GlobalUnlock SetClipboardData CloseClipboard 156->157 157->136
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 00404F47
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00404F56
                                                                    • GetClientRect.USER32(?,?), ref: 00404F93
                                                                    • GetSystemMetrics.USER32(00000015), ref: 00404F9B
                                                                    • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FBC
                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FCD
                                                                    • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FE0
                                                                    • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FEE
                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405001
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405037
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405058
                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405068
                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405081
                                                                    • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040508D
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00404F65
                                                                      • Part of subcall function 00403DF3: SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004050AA
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004050BF
                                                                    • ShowWindow.USER32(00000000), ref: 004050E3
                                                                    • ShowWindow.USER32(0004043A,00000008), ref: 004050E8
                                                                    • ShowWindow.USER32(00000008), ref: 0040512F
                                                                    • SendMessageA.USER32(0004043A,00001004,00000000,00000000), ref: 00405161
                                                                    • CreatePopupMenu.USER32 ref: 00405172
                                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
                                                                    • GetWindowRect.USER32(0004043A,?), ref: 0040519A
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051F9
                                                                    • OpenClipboard.USER32(00000000), ref: 00405209
                                                                    • EmptyClipboard.USER32 ref: 0040520F
                                                                    • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
                                                                    • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405222
                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405236
                                                                    • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040524E
                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00405259
                                                                    • CloseClipboard.USER32 ref: 0040525F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                    • String ID: {
                                                                    • API String ID: 4154960007-366298937
                                                                    • Opcode ID: fe7e969d2c22f19af4888f7a47512703474a450c12f54b0918034fcaa462cfcc
                                                                    • Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
                                                                    • Opcode Fuzzy Hash: fe7e969d2c22f19af4888f7a47512703474a450c12f54b0918034fcaa462cfcc
                                                                    • Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59
                                                                    Function 004041FC Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 266stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 372 4041fc-40422b 373 40423a-404241 372->373 374 40422d-404235 call 4052b1 call 405c6e 372->374 376 404243-404259 GetDlgItem call 40556c 373->376 377 4042b5-4042bc 373->377 374->373 388 40426b-4042a8 SetWindowTextA call 403dbe * 2 call 403df3 call 405d2e 376->388 389 40425b-404263 call 405593 376->389 380 404391-404398 377->380 381 4042c2-4042c8 377->381 386 4043a7-4043be call 4052b1 call 4055e0 380->386 387 40439a-4043a1 380->387 384 4042e2-4042e7 381->384 385 4042ca-4042d5 381->385 384->380 392 4042ed-404332 call 405a2e SHBrowseForFolderA 384->392 390 4042db 385->390 391 40451c-40452e call 403e25 385->391 410 4043c0 386->410 411 4043c7-4043e0 call 405a0c call 405d2e 386->411 387->386 387->391 388->391 430 4042ae-4042b3 SHAutoComplete 388->430 389->388 408 404265-404266 call 4054ff 389->408 390->384 404 404334-40434e CoTaskMemFree call 4054ff 392->404 405 40438a 392->405 417 404350-404356 404->417 418 404378-404388 SetDlgItemTextA 404->418 405->380 408->388 410->411 428 4043e2-4043e6 411->428 429 404417-404426 call 405a0c call 405593 411->429 417->418 421 404358-40436f call 405a2e lstrcmpiA 417->421 418->380 421->418 432 404371-404373 lstrcatA 421->432 433 404415 428->433 434 4043e8-4043fa GetDiskFreeSpaceExA 428->434 445 404428 429->445 446 40442b-404444 GetDiskFreeSpaceA 429->446 430->377 432->418 433->429 436 404468-40447e 434->436 437 4043fc-4043fe 434->437 439 404483 436->439 440 404400 437->440 441 404403-404413 call 405546 437->441 443 404488-404492 call 40464c 439->443 440->441 441->433 441->434 452 404494-404496 443->452 453 40449f-4044a8 443->453 445->446 449 404480 446->449 450 404446-404466 MulDiv 446->450 449->439 450->443 452->453 456 404498 452->456 454 4044d5-4044df 453->454 455 4044aa-4044ba call 404597 453->455 458 4044e1-4044e8 call 40140b 454->458 459 4044eb-4044f1 454->459 464 4044c7-4044d0 SetDlgItemTextA 455->464 465 4044bc-4044c0 call 404597 455->465 456->453 458->459 462 4044f3 459->462 463 4044f6-404507 call 403de0 459->463 462->463 470 404516 463->470 471 404509-40450f 463->471 464->454 472 4044c5 465->472 470->391 471->470 473 404511 call 404191 471->473 472->454 473->470
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404248
                                                                    • SetWindowTextA.USER32(?,?), ref: 00404275
                                                                    • SHAutoComplete.SHLWAPI(?,00000001,00000007,?,?,00000014,?,?,00000001,?), ref: 004042B3
                                                                    • SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404335
                                                                    • lstrcmpiA.KERNEL32(Remove folder: ,00429FE0), ref: 00404367
                                                                    • lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404373
                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383
                                                                      • Part of subcall function 004052B1: GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                                      • Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                                    • GetDiskFreeSpaceExA.KERNELBASE(C:\Program Files (x86)\,?,?,?,00000000,C:\Program Files (x86)\,?,?,000003FB,?), ref: 004043F5
                                                                    • GetDiskFreeSpaceA.KERNEL32(C:\Program Files (x86)\,?,?,0000040F,?,C:\Program Files (x86)\,C:\Program Files (x86)\,?,00000000,C:\Program Files (x86)\,?,?,000003FB,?), ref: 0040443C
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
                                                                    • SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpi
                                                                    • String ID: A$Admin$C:\Program Files (x86)\$C:\Program Files (x86)\Ortelia Curator$Remove folder:
                                                                    • API String ID: 936030579-710193818
                                                                    • Opcode ID: 56b57ac24ace541c1605ebccafb9669887283688539389553302a9a9a4450f5d
                                                                    • Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
                                                                    • Opcode Fuzzy Hash: 56b57ac24ace541c1605ebccafb9669887283688539389553302a9a9a4450f5d
                                                                    • Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59
                                                                    Function 00405A2E Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 197stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 542 405a2e-405a39 543 405a3b-405a4a 542->543 544 405a4c-405a69 542->544 543->544 545 405c4b-405c4f 544->545 546 405a6f-405a76 544->546 547 405c55-405c5f 545->547 548 405a7b-405a85 545->548 546->545 550 405c61-405c65 call 405a0c 547->550 551 405c6a-405c6b 547->551 548->547 549 405a8b-405a92 548->549 552 405a98-405acd 549->552 553 405c3e 549->553 550->551 555 405ad3-405ade GetVersion 552->555 556 405be8-405beb 552->556 557 405c40-405c46 553->557 558 405c48-405c4a 553->558 559 405ae0-405ae4 555->559 560 405af8 555->560 561 405c1b-405c1e 556->561 562 405bed-405bf0 556->562 557->545 558->545 559->560 563 405ae6-405aea 559->563 566 405aff-405b06 560->566 567 405c20-405c27 call 405a2e 561->567 568 405c2c-405c3c lstrlenA 561->568 564 405c00-405c0c call 405a0c 562->564 565 405bf2-405bfe call 40596a 562->565 563->560 569 405aec-405af0 563->569 579 405c11-405c17 564->579 565->579 571 405b08-405b0a 566->571 572 405b0b-405b0d 566->572 567->568 568->545 569->560 575 405af2-405af6 569->575 571->572 577 405b46-405b49 572->577 578 405b0f-405b2a call 4058f3 572->578 575->566 580 405b59-405b5c 577->580 581 405b4b-405b57 GetSystemDirectoryA 577->581 587 405b2f-405b32 578->587 579->568 583 405c19 579->583 585 405bc6-405bc8 580->585 586 405b5e-405b6c GetWindowsDirectoryA 580->586 584 405bca-405bcd 581->584 588 405be0-405be6 call 405c6e 583->588 584->588 592 405bcf-405bd3 584->592 585->584 590 405b6e-405b78 585->590 586->585 591 405b38-405b41 call 405a2e 587->591 587->592 588->568 595 405b92-405ba8 SHGetSpecialFolderLocation 590->595 596 405b7a-405b7d 590->596 591->584 592->588 593 405bd5-405bdb lstrcatA 592->593 593->588 600 405bc3 595->600 601 405baa-405bc1 SHGetPathFromIDListA CoTaskMemFree 595->601 596->595 599 405b7f-405b86 596->599 602 405b8e-405b90 599->602 600->585 601->584 601->600 602->584 602->595
                                                                    APIs
                                                                    • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000), ref: 00405AD6
                                                                    • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B51
                                                                    • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B64
                                                                    • SHGetSpecialFolderLocation.SHELL32(?,0076674C), ref: 00405BA0
                                                                    • SHGetPathFromIDListA.SHELL32(0076674C,Remove folder: ), ref: 00405BAE
                                                                    • CoTaskMemFree.OLE32(0076674C), ref: 00405BB9
                                                                    • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
                                                                    • lstrlenA.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000), ref: 00405C2D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                    • String ID: Admin$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 900638850-2427605732
                                                                    • Opcode ID: 846b22e61c070398cd05a92e3a510f78d4c6db27c62cd07b9d697c387b804f0c
                                                                    • Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
                                                                    • Opcode Fuzzy Hash: 846b22e61c070398cd05a92e3a510f78d4c6db27c62cd07b9d697c387b804f0c
                                                                    • Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E
                                                                    Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 603 405331-40534c call 4055e0 606 405365-40536f 603->606 607 40534e-405360 DeleteFileA 603->607 609 405371-405373 606->609 610 405383-405391 call 405a0c 606->610 608 4054f9-4054fc 607->608 611 4054a4-4054aa 609->611 612 405379-40537d 609->612 616 4053a0-4053a1 call 405546 610->616 617 405393-40539e lstrcatA 610->617 611->608 615 4054ac-4054af 611->615 612->610 612->611 618 4054b1-4054b7 615->618 619 4054b9-4054c1 call 405d07 615->619 620 4053a6-4053a9 616->620 617->620 618->608 619->608 626 4054c3-4054d8 call 4054ff call 4056c4 RemoveDirectoryA 619->626 624 4053b4-4053ba lstrcatA 620->624 625 4053ab-4053b2 620->625 627 4053bf-4053dd lstrlenA FindFirstFileA 624->627 625->624 625->627 641 4054f1-4054f4 call 404daa 626->641 642 4054da-4054de 626->642 629 4053e3-4053fa call 40552a 627->629 630 40549a-40549e 627->630 637 405405-405408 629->637 638 4053fc-405400 629->638 630->611 632 4054a0 630->632 632->611 639 40540a-40540f 637->639 640 40541b-405429 call 405a0c 637->640 638->637 643 405402 638->643 644 405411-405413 639->644 645 405479-40548b FindNextFileA 639->645 653 405440-40544f call 4056c4 DeleteFileA 640->653 654 40542b-405433 640->654 641->608 642->618 647 4054e0-4054ef call 404daa call 40575a 642->647 643->637 644->640 649 405415-405419 644->649 645->629 651 405491-405494 FindClose 645->651 647->608 649->640 649->645 651->630 663 405471-405474 call 404daa 653->663 664 405451-405455 653->664 654->645 656 405435-40543e call 405331 654->656 656->645 663->645 666 405457-405467 call 404daa call 40575a 664->666 667 405469-40546f 664->667 666->645 667->645
                                                                    APIs
                                                                    • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 0040534F
                                                                    • lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 00405399
                                                                    • lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004053BA
                                                                    • lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004053C0
                                                                    • FindFirstFileA.KERNELBASE(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004053D1
                                                                    • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405483
                                                                    • FindClose.KERNEL32(?), ref: 00405494
                                                                    Strings
                                                                    • "C:\Users\user\Desktop\CuratorStandardSetup.exe", xrefs: 0040533B
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
                                                                    • \*.*, xrefs: 00405393
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                    • API String ID: 2035342205-1127485010
                                                                    • Opcode ID: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
                                                                    • Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
                                                                    • Opcode Fuzzy Hash: fb5f0b97fd6045d75f3de5e206462d23269cef9c6319140f549f9214963cb2b4
                                                                    • Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E
                                                                    Function 00402020 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Uninstall.lnk,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
                                                                    Strings
                                                                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Uninstall.lnk, xrefs: 00402116, 00402120, 0040213C
                                                                    • C:\Program Files (x86)\Ortelia Curator, xrefs: 004020AB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                    • String ID: C:\Program Files (x86)\Ortelia Curator$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ortelia Curator\Uninstall.lnk
                                                                    • API String ID: 123533781-910762151
                                                                    • Opcode ID: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
                                                                    • Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
                                                                    • Opcode Fuzzy Hash: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
                                                                    • Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
                                                                    Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                    • LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                    • String ID:
                                                                    • API String ID: 310444273-0
                                                                    • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                                                    • Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
                                                                    • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                                                    • Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA
                                                                    Function 00405D07 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNELBASE(?,0042C030,0042B3E8,00405623,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 00405D12
                                                                    • FindClose.KERNEL32(00000000), ref: 00405D1E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
                                                                    • Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
                                                                    • Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
                                                                    • Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED
                                                                    Function 004038EB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 158 4038eb-4038fd 159 403903-403909 158->159 160 403a3e-403a4d 158->160 159->160 161 40390f-403918 159->161 162 403a9c-403ab1 160->162 163 403a4f-403a97 GetDlgItem * 2 call 403dbe SetClassLongA call 40140b 160->163 164 40391a-403927 SetWindowPos 161->164 165 40392d-403930 161->165 167 403af1-403af6 call 403e0a 162->167 168 403ab3-403ab6 162->168 163->162 164->165 169 403932-403944 ShowWindow 165->169 170 40394a-403950 165->170 175 403afb-403b16 167->175 172 403ab8-403ac3 call 401389 168->172 173 403ae9-403aeb 168->173 169->170 176 403952-403967 DestroyWindow 170->176 177 40396c-40396f 170->177 172->173 195 403ac5-403ae4 SendMessageA 172->195 173->167 180 403d8b 173->180 181 403b18-403b1a call 40140b 175->181 182 403b1f-403b25 175->182 184 403d68-403d6e 176->184 186 403971-40397d SetWindowLongA 177->186 187 403982-403988 177->187 183 403d8d-403d94 180->183 181->182 191 403d49-403d62 DestroyWindow KiUserCallbackDispatcher 182->191 192 403b2b-403b36 182->192 184->180 189 403d70-403d76 184->189 186->183 193 403a2b-403a39 call 403e25 187->193 194 40398e-40399f GetDlgItem 187->194 189->180 196 403d78-403d81 ShowWindow 189->196 191->184 192->191 197 403b3c-403b89 call 405a2e call 403dbe * 3 GetDlgItem 192->197 193->183 198 4039a1-4039b8 SendMessageA IsWindowEnabled 194->198 199 4039be-4039c1 194->199 195->183 196->180 228 403b93-403bcf ShowWindow KiUserCallbackDispatcher call 403de0 KiUserCallbackDispatcher 197->228 229 403b8b-403b90 197->229 198->180 198->199 203 4039c3-4039c4 199->203 204 4039c6-4039c9 199->204 206 4039f4-4039f9 call 403d97 203->206 207 4039d7-4039dc 204->207 208 4039cb-4039d1 204->208 206->193 209 403a12-403a25 SendMessageA 207->209 210 4039de-4039e4 207->210 208->209 213 4039d3-4039d5 208->213 209->193 214 4039e6-4039ec call 40140b 210->214 215 4039fb-403a04 call 40140b 210->215 213->206 224 4039f2 214->224 215->193 225 403a06-403a10 215->225 224->206 225->224 232 403bd1-403bd2 228->232 233 403bd4 228->233 229->228 234 403bd6-403c04 GetSystemMenu EnableMenuItem SendMessageA 232->234 233->234 235 403c06-403c17 SendMessageA 234->235 236 403c19 234->236 237 403c1f-403c58 call 403df3 call 405a0c lstrlenA call 405a2e SetWindowTextA call 401389 235->237 236->237 237->175 246 403c5e-403c60 237->246 246->175 247 403c66-403c6a 246->247 248 403c89-403c9d KiUserCallbackDispatcher 247->248 249 403c6c-403c72 247->249 248->184 251 403ca3-403cd0 CreateDialogParamA 248->251 249->180 250 403c78-403c7e 249->250 250->175 252 403c84 250->252 251->184 253 403cd6-403d2d call 403dbe GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 251->253 252->180 253->180 258 403d2f-403d42 ShowWindow call 403e0a 253->258 260 403d47 258->260 260->184
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
                                                                    • ShowWindow.USER32(?), ref: 00403944
                                                                    • DestroyWindow.USER32 ref: 00403958
                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
                                                                    • GetDlgItem.USER32(?,?), ref: 00403995
                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039A9
                                                                    • IsWindowEnabled.USER32(00000000), ref: 004039B0
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403A5E
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403A68
                                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AD3
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403B79
                                                                    • ShowWindow.USER32(00000000,?), ref: 00403B9A
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BAC
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BC7
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
                                                                    • EnableMenuItem.USER32(00000000), ref: 00403BE4
                                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BFC
                                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C0F
                                                                    • lstrlenA.KERNEL32(00429FE0,?,00429FE0,Ortelia Curator 1.3 Setup), ref: 00403C38
                                                                    • SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
                                                                    • ShowWindow.USER32(?,0000000A), ref: 00403D7B
                                                                    Strings
                                                                    • Ortelia Curator 1.3 Setup, xrefs: 00403C29
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                                                    • String ID: Ortelia Curator 1.3 Setup
                                                                    • API String ID: 1252290697-387197903
                                                                    • Opcode ID: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
                                                                    • Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
                                                                    • Opcode Fuzzy Hash: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
                                                                    • Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E
                                                                    Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 261 403555-40356d call 405d2e 264 403581-4035a8 call 4058f3 261->264 265 40356f-40357f call 40596a 261->265 270 4035c0-4035c6 lstrcatA 264->270 271 4035aa-4035bb call 4058f3 264->271 274 4035cb-4035f4 call 40381e call 4055e0 265->274 270->274 271->270 279 4035fa-4035ff 274->279 280 40367b-403683 call 4055e0 274->280 279->280 281 403601-403619 call 4058f3 279->281 286 403691-4036b6 LoadImageA 280->286 287 403685-40368c call 405a2e 280->287 285 40361e-403625 281->285 285->280 288 403627-403629 285->288 290 403745-40374d call 40140b 286->290 291 4036bc-4036f2 RegisterClassA 286->291 287->286 292 40363a-403646 lstrlenA 288->292 293 40362b-403638 call 40552a 288->293 305 403757-403762 call 40381e 290->305 306 40374f-403752 290->306 294 403814 291->294 295 4036f8-403740 SystemParametersInfoA CreateWindowExA 291->295 299 403648-403656 lstrcmpiA 292->299 300 40366e-403676 call 4054ff call 405a0c 292->300 293->292 297 403816-40381d 294->297 295->290 299->300 304 403658-403662 GetFileAttributesA 299->304 300->280 309 403664-403666 304->309 310 403668-403669 call 405546 304->310 314 403768-403785 ShowWindow LoadLibraryA 305->314 315 4037eb-4037ec call 404e7c 305->315 306->297 309->300 309->310 310->300 316 403787-40378c LoadLibraryA 314->316 317 40378e-4037a0 GetClassInfoA 314->317 321 4037f1-4037f3 315->321 316->317 319 4037a2-4037b2 GetClassInfoA RegisterClassA 317->319 320 4037b8-4037db DialogBoxParamA call 40140b 317->320 319->320 327 4037e0-4037e9 call 4034a5 320->327 323 4037f5-4037fb 321->323 324 40380d-40380f call 40140b 321->324 323->306 325 403801-403808 call 40140b 323->325 324->294 325->306 327->297
                                                                    APIs
                                                                      • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                      • Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                      • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                                    • lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
                                                                    • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\Ortelia Curator,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\CuratorStandardSetup.exe"), ref: 0040363B
                                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 0040364E
                                                                    • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 00403659
                                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Ortelia Curator), ref: 004036A2
                                                                      • Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977
                                                                    • RegisterClassA.USER32 ref: 004036E9
                                                                    • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
                                                                    • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040373A
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403770
                                                                    • LoadLibraryA.KERNELBASE(RichEd20), ref: 00403781
                                                                    • LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
                                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
                                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
                                                                    • RegisterClassA.USER32(0042E300), ref: 004037B2
                                                                    • DialogBoxParamA.USER32(?,00000000,004038EB,00000000), ref: 004037D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Ortelia Curator$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                    • API String ID: 914957316-85744923
                                                                    • Opcode ID: 79fd6d7680e4434318c5d431373bafe135b671b9c271f7b1c614c7309aac5398
                                                                    • Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
                                                                    • Opcode Fuzzy Hash: 79fd6d7680e4434318c5d431373bafe135b671b9c271f7b1c614c7309aac5398
                                                                    • Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E
                                                                    Function 00403F06 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 332 403f06-403f16 333 404029-40403c 332->333 334 403f1c-403f24 332->334 337 404098-40409c 333->337 338 40403e-404047 333->338 335 403f26-403f35 334->335 336 403f37-403fcf call 403dbe * 2 CheckDlgButton call 403de0 GetDlgItem call 403df3 SendMessageA 334->336 335->336 370 403fd1-403fd4 GetSysColor 336->370 371 403fda-404024 SendMessageA * 2 lstrlenA SendMessageA * 2 336->371 342 4040a2-4040b6 GetDlgItem 337->342 343 40416c-404173 337->343 339 40417b 338->339 340 40404d-404055 338->340 346 40417e-404185 call 403e25 339->346 340->339 344 40405b-404067 340->344 348 4040b8-4040bf 342->348 349 40412a-404131 342->349 343->339 345 404175 343->345 344->339 350 40406d-404093 GetDlgItem SendMessageA call 403de0 call 404191 344->350 345->339 356 40418a-40418e 346->356 348->349 353 4040c1-4040dc 348->353 349->346 354 404133-40413a 349->354 350->337 353->349 358 4040de-404127 SendMessageA LoadCursorA SetCursor ShellExecuteA LoadCursorA SetCursor 353->358 354->346 359 40413c-404140 354->359 358->349 362 404142-404151 SendMessageA 359->362 363 404153-404157 359->363 362->363 364 404167-40416a 363->364 365 404159-404165 SendMessageA 363->365 364->356 365->364 370->371 371->356
                                                                    APIs
                                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
                                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC3
                                                                    • GetSysColor.USER32(?), ref: 00403FD4
                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE3
                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF2
                                                                    • lstrlenA.KERNEL32(?), ref: 00403FFC
                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400A
                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404019
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040407C
                                                                    • SendMessageA.USER32(00000000), ref: 0040407F
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004040AA
                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EA
                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 004040F9
                                                                    • SetCursor.USER32(00000000), ref: 00404102
                                                                    • ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00404122
                                                                    • SetCursor.USER32(00000000), ref: 00404125
                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404151
                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404165
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                    • String ID: N$Remove folder: $open
                                                                    • API String ID: 3615053054-3278287247
                                                                    • Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
                                                                    • Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
                                                                    • Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
                                                                    • Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98
                                                                    Function 00402C22 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 475 402c22-402c70 GetTickCount GetModuleFileNameA call 4056e3 478 402c72-402c77 475->478 479 402c7c-402caa call 405a0c call 405546 call 405a0c GetFileSize 475->479 480 402e54-402e58 478->480 487 402cb0 479->487 488 402d97-402da5 call 402bbe 479->488 490 402cb5-402ccc 487->490 494 402da7-402daa 488->494 495 402dfa-402dff 488->495 492 402cd0-402cd2 call 40307d 490->492 493 402cce 490->493 499 402cd7-402cd9 492->499 493->492 497 402dac-402dbd call 4030af call 40307d 494->497 498 402dce-402df8 GlobalAlloc call 4030af call 402e5b 494->498 495->480 516 402dc2-402dc4 497->516 498->495 521 402e0b-402e1c 498->521 501 402e01-402e09 call 402bbe 499->501 502 402cdf-402ce6 499->502 501->495 506 402d62-402d66 502->506 507 402ce8-402cfc call 4056a4 502->507 511 402d70-402d76 506->511 512 402d68-402d6f call 402bbe 506->512 507->511 526 402cfe-402d05 507->526 518 402d85-402d8f 511->518 519 402d78-402d82 call 405d9a 511->519 512->511 516->495 523 402dc6-402dcc 516->523 518->490 522 402d95 518->522 519->518 528 402e24-402e29 521->528 529 402e1e 521->529 522->488 523->495 523->498 526->511 527 402d07-402d0e 526->527 527->511 531 402d10-402d17 527->531 532 402e2a-402e30 528->532 529->528 531->511 533 402d19-402d20 531->533 532->532 534 402e32-402e4d SetFilePointer call 4056a4 532->534 533->511 535 402d22-402d42 533->535 538 402e52 534->538 535->495 537 402d48-402d4c 535->537 539 402d54-402d5c 537->539 540 402d4e-402d52 537->540 538->480 539->511 541 402d5e-402d60 539->541 540->522 540->539 541->511
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402C33
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CuratorStandardSetup.exe,00000400), ref: 00402C4F
                                                                      • Part of subcall function 004056E3: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\CuratorStandardSetup.exe,80000000,00000003), ref: 004056E7
                                                                      • Part of subcall function 004056E3: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709
                                                                    • GetFileSize.KERNEL32(00000000,00000000,CuratorStandardSetup.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CuratorStandardSetup.exe,C:\Users\user\Desktop\CuratorStandardSetup.exe,80000000,00000003), ref: 00402C9B
                                                                    Strings
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
                                                                    • C:\Users\user\Desktop\CuratorStandardSetup.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
                                                                    • soft, xrefs: 00402D10
                                                                    • `ko, xrefs: 00402C4A
                                                                    • CuratorStandardSetup.exe, xrefs: 00402C8F
                                                                    • "C:\Users\user\Desktop\CuratorStandardSetup.exe", xrefs: 00402C2C
                                                                    • Inst, xrefs: 00402D07
                                                                    • C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
                                                                    • Error launching installer, xrefs: 00402C72
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
                                                                    • Null, xrefs: 00402D19
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CuratorStandardSetup.exe$CuratorStandardSetup.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`ko$soft
                                                                    • API String ID: 4283519449-85837726
                                                                    • Opcode ID: 19a1f9410bf62bb7c26d91ab593fbbc98d7f1b49a46bf68e22654edc0ba003eb
                                                                    • Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
                                                                    • Opcode Fuzzy Hash: 19a1f9410bf62bb7c26d91ab593fbbc98d7f1b49a46bf68e22654edc0ba003eb
                                                                    • Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D
                                                                    Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 672 401734-401757 call 4029f6 call 40556c 677 401761-401773 call 405a0c call 4054ff lstrcatA 672->677 678 401759-40175f call 405a0c 672->678 683 401778-40177e call 405c6e 677->683 678->683 688 401783-401787 683->688 689 401789-401793 call 405d07 688->689 690 4017ba-4017bd 688->690 697 4017a5-4017b7 689->697 698 401795-4017a3 CompareFileTime 689->698 691 4017c5-4017e1 call 4056e3 690->691 692 4017bf-4017c0 call 4056c4 690->692 700 4017e3-4017e6 691->700 701 401859-401882 call 404daa call 402e5b 691->701 692->691 697->690 698->697 702 4017e8-40182a call 405a0c * 2 call 405a2e call 405a0c call 4052cd 700->702 703 40183b-401845 call 404daa 700->703 713 401884-401888 701->713 714 40188a-401896 SetFileTime 701->714 702->688 735 401830-401831 702->735 715 40184e-401854 703->715 713->714 717 40189c-4018a7 FindCloseChangeNotification 713->717 714->717 718 402894 715->718 720 40288b-40288e 717->720 721 4018ad-4018b0 717->721 722 402896-40289a 718->722 720->718 725 4018b2-4018c3 call 405a2e lstrcatA 721->725 726 4018c5-4018c8 call 405a2e 721->726 732 4018cd-402213 call 4052cd 725->732 726->732 732->722 739 40265c-402663 732->739 735->715 737 401833-401834 735->737 737->703 739->720
                                                                    APIs
                                                                    • lstrcatA.KERNEL32(00000000,00000000,"C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe",C:\Program Files (x86)\Ortelia Curator,00000000,00000000,00000031), ref: 00401773
                                                                    • CompareFileTime.KERNEL32(-00000014,?,"C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe","C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe",00000000,00000000,"C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe",C:\Program Files (x86)\Ortelia Curator,00000000,00000000,00000031), ref: 0040179D
                                                                      • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Ortelia Curator 1.3 Setup,NSIS Error), ref: 00405A19
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                      • Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0), ref: 00404E06
                                                                      • Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\), ref: 00404E18
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                    • String ID: "C:\Program Files (x86)\Ortelia Curator\OrteliaCurator.exe"$Admin$C:\Program Files (x86)\Ortelia Curator$State
                                                                    • API String ID: 1941528284-2773592318
                                                                    • Opcode ID: 5764c5881e74c298e0271c9ee47bdc948f6cebb267fb6ceaf7a45804cd027a39
                                                                    • Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
                                                                    • Opcode Fuzzy Hash: 5764c5881e74c298e0271c9ee47bdc948f6cebb267fb6ceaf7a45804cd027a39
                                                                    • Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D
                                                                    Function 00402E5B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 740 402e5b-402e6f 741 402e71 740->741 742 402e78-402e81 740->742 741->742 743 402e83 742->743 744 402e8a-402e8f 742->744 743->744 745 402e91-402e9a call 4030af 744->745 746 402e9f-402eac call 40307d 744->746 745->746 750 402eb2-402eb6 746->750 751 403028 746->751 753 403011-403013 750->753 754 402ebc-402f05 GetTickCount 750->754 752 40302a-40302b 751->752 755 403076-40307a 752->755 756 403015-403018 753->756 757 403068-40306c 753->757 758 403073 754->758 759 402f0b-402f13 754->759 764 40301a 756->764 765 40301d-403026 call 40307d 756->765 762 40302d-403033 757->762 763 40306e 757->763 758->755 760 402f15 759->760 761 402f18-402f26 call 40307d 759->761 760->761 761->751 774 402f2c-402f35 761->774 767 403035 762->767 768 403038-403046 call 40307d 762->768 763->758 764->765 765->751 773 403070 765->773 767->768 768->751 777 403048-40305b WriteFile 768->777 773->758 776 402f3b-402f5b call 405e08 774->776 783 402f61-402f74 GetTickCount 776->783 784 403009-40300b 776->784 779 40300d-40300f 777->779 780 40305d-403060 777->780 779->752 780->779 782 403062-403065 780->782 782->757 785 402f76-402f7e 783->785 786 402fb9-402fbd 783->786 784->752 787 402f80-402f84 785->787 788 402f86-402fb1 MulDiv wsprintfA call 404daa 785->788 789 402ffe-403001 786->789 790 402fbf-402fc2 786->790 787->786 787->788 797 402fb6 788->797 789->759 793 403007 789->793 791 402fe4-402fef 790->791 792 402fc4-402fd8 WriteFile 790->792 796 402ff2-402ff6 791->796 792->779 795 402fda-402fdd 792->795 793->758 795->779 798 402fdf-402fe2 795->798 796->776 799 402ffc 796->799 797->786 798->796 799->758
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402EC2
                                                                    • GetTickCount.KERNEL32 ref: 00402F69
                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
                                                                    • wsprintfA.USER32 ref: 00402FA2
                                                                    • WriteFile.KERNELBASE(00000000,00000000,0076674C,7FFFFFFF,00000000), ref: 00402FD0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$FileWritewsprintf
                                                                    • String ID: ... %d%%$Lgv
                                                                    • API String ID: 4209647438-3632238089
                                                                    • Opcode ID: 7289b7ae2f0745a7acfa0f8d9375c81fb7e26caa9b1403e8e39dbbcf3e0a4daa
                                                                    • Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
                                                                    • Opcode Fuzzy Hash: 7289b7ae2f0745a7acfa0f8d9375c81fb7e26caa9b1403e8e39dbbcf3e0a4daa
                                                                    • Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA
                                                                    Function 00404DAA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 800 404daa-404dbf 801 404e75-404e79 800->801 802 404dc5-404dd7 800->802 803 404de2-404dee lstrlenA 802->803 804 404dd9-404ddd call 405a2e 802->804 806 404df0-404e00 lstrlenA 803->806 807 404e0b-404e0f 803->807 804->803 806->801 808 404e02-404e06 lstrcatA 806->808 809 404e11-404e18 SetWindowTextA 807->809 810 404e1e-404e22 807->810 808->807 809->810 811 404e24-404e66 SendMessageA * 3 810->811 812 404e68-404e6a 810->812 811->812 812->801 813 404e6c-404e6f 812->813 813->801
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                    • lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                    • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0), ref: 00404E06
                                                                    • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\), ref: 00404E18
                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\
                                                                    • API String ID: 2531174081-3886169273
                                                                    • Opcode ID: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
                                                                    • Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
                                                                    • Opcode Fuzzy Hash: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
                                                                    • Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98
                                                                    Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,0000C400,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
                                                                    • GlobalFree.KERNEL32(?), ref: 00402725
                                                                    • WriteFile.KERNELBASE(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
                                                                    • GlobalFree.KERNELBASE(00000000), ref: 0040273E
                                                                    • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                    • String ID:
                                                                    • API String ID: 3294113728-0
                                                                    • Opcode ID: ad9dba0a6d7d7ff00a0aa23633edca48885571ce4b116709350681886f746bde
                                                                    • Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
                                                                    • Opcode Fuzzy Hash: ad9dba0a6d7d7ff00a0aa23633edca48885571ce4b116709350681886f746bde
                                                                    • Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9
                                                                    Function 00401F51 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 847 401f51-401f5d 848 401f63-401f79 call 4029f6 * 2 847->848 849 402019-40201b 847->849 859 401f88-401f96 LoadLibraryExA 848->859 860 401f7b-401f86 GetModuleHandleA 848->860 851 402164-402169 call 401423 849->851 856 40288b-40289a 851->856 862 401f98-401fa6 GetProcAddress 859->862 863 402012-402014 859->863 860->859 860->862 864 401fe5-401fea call 404daa 862->864 865 401fa8-401fae 862->865 863->851 869 401fef-401ff2 864->869 867 401fb0-401fbc call 401423 865->867 868 401fc7-401fdb 865->868 867->869 877 401fbe-401fc5 867->877 871 401fe0-401fe3 868->871 869->856 872 401ff8-402000 call 4034f5 869->872 871->869 872->856 878 402006-40200d FreeLibrary 872->878 877->869 878->856
                                                                    APIs
                                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                      • Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0), ref: 00404E06
                                                                      • Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\), ref: 00404E18
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                                                    • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                    • String ID: Admin$B
                                                                    • API String ID: 2987980305-1687173173
                                                                    • Opcode ID: 7801585ffc0b9ac36e2f6c86c8f002994cbbb77bfdbfe2fb33793952b630982a
                                                                    • Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
                                                                    • Opcode Fuzzy Hash: 7801585ffc0b9ac36e2f6c86c8f002994cbbb77bfdbfe2fb33793952b630982a
                                                                    • Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E
                                                                    Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 879 4015b3-4015c6 call 4029f6 call 405593 884 4015c8-4015e3 call 40552a CreateDirectoryA 879->884 885 40160a-40160d 879->885 892 401600-401608 884->892 893 4015e5-4015f0 GetLastError 884->893 886 40162d-402169 call 401423 885->886 887 40160f-401628 call 401423 call 405a0c SetCurrentDirectoryA 885->887 900 40288b-40289a 886->900 887->900 892->884 892->885 897 4015f2-4015fb GetFileAttributesA 893->897 898 4015fd 893->898 897->892 897->898 898->892
                                                                    APIs
                                                                      • Part of subcall function 00405593: CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004055A1
                                                                      • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
                                                                      • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5
                                                                    • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                                    • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                                    • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files (x86)\Ortelia Curator,00000000,00000000,000000F0), ref: 00401622
                                                                    Strings
                                                                    • C:\Program Files (x86)\Ortelia Curator, xrefs: 00401617
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                    • String ID: C:\Program Files (x86)\Ortelia Curator
                                                                    • API String ID: 3751793516-387673481
                                                                    • Opcode ID: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
                                                                    • Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
                                                                    • Opcode Fuzzy Hash: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
                                                                    • Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E
                                                                    Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405725
                                                                    • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040573F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                    • API String ID: 1716503409-4168663942
                                                                    • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                                    • Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
                                                                    • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                                    • Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9
                                                                    Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
                                                                    • wsprintfA.USER32 ref: 0040462D
                                                                    • SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: fd388339aec9d893d962720d18bfd2796e1835fb68edb78dc8a466f60b8149e1
                                                                    • Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
                                                                    • Opcode Fuzzy Hash: fd388339aec9d893d962720d18bfd2796e1835fb68edb78dc8a466f60b8149e1
                                                                    • Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8
                                                                    Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
                                                                    • Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
                                                                    • Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
                                                                    • Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718
                                                                    Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
                                                                    • CloseHandle.KERNEL32(?), ref: 0040529E
                                                                    Strings
                                                                    • Error launching installer, xrefs: 0040527F
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                                                    • API String ID: 3712363035-1785902839
                                                                    • Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
                                                                    • Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
                                                                    • Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
                                                                    • Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9
                                                                    Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
                                                                    • lstrlenA.KERNEL32(0040A380,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
                                                                    • RegSetValueExA.KERNELBASE(?,?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
                                                                    • RegCloseKey.ADVAPI32(?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateValuelstrlen
                                                                    • String ID:
                                                                    • API String ID: 1356686001-0
                                                                    • Opcode ID: 6d3b865e91797ef867c492b09b4a0ea448f3873fd28b0c564879606631dd48fe
                                                                    • Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
                                                                    • Opcode Fuzzy Hash: 6d3b865e91797ef867c492b09b4a0ea448f3873fd28b0c564879606631dd48fe
                                                                    • Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669
                                                                    Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                                      • Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                                      • Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                                    • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                    • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 4115351271-517883005
                                                                    • Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
                                                                    • Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
                                                                    • Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
                                                                    • Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE
                                                                    Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004034E1
                                                                    Strings
                                                                    • "C:\Users\user\Desktop\CuratorStandardSetup.exe", xrefs: 004034D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Free$GlobalLibrary
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"
                                                                    • API String ID: 1100898210-3278871761
                                                                    • Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
                                                                    • Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
                                                                    • Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
                                                                    • Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD
                                                                    Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                      • Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                      • Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,00000000,0076674C,74DF23A0), ref: 00404E06
                                                                      • Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\), ref: 00404E18
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                      • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                                      • Part of subcall function 0040526C: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
                                                                      • Part of subcall function 0040526C: CloseHandle.KERNEL32(?), ref: 0040529E
                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E65
                                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 3521207402-0
                                                                    • Opcode ID: 064ced36be0915df7214df9985f5da9ea08c8b6470647d2aaccb4c93f9833b2d
                                                                    • Instruction ID: b33c81b7bc3b485aca967e7674fca75add98f6be2a8732829935c4442cdc9329
                                                                    • Opcode Fuzzy Hash: 064ced36be0915df7214df9985f5da9ea08c8b6470647d2aaccb4c93f9833b2d
                                                                    • Instruction Fuzzy Hash: 99018071904214EBDF11AFA1CD859AE7A75EF00348F24403BF906B61E1C3794A82DB9A
                                                                    Function 004058F3 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00405B2F,00000000,00000002,?,00000002,002CEB8D,?,00405B2F,80000002,Software\Microsoft\Windows\CurrentVersion,002CEB8D,Remove folder: ,006FD725), ref: 0040591C
                                                                    • RegQueryValueExA.KERNELBASE(002CEB8D,?,00000000,00405B2F,002CEB8D,00405B2F), ref: 0040593D
                                                                    • RegCloseKey.KERNELBASE(?), ref: 0040595E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                                                    • Instruction ID: 7f29002dde4dac3a19eb3905e2141cfc53fc6fe5580d4c3066aa5286193c6294
                                                                    • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                                                    • Instruction Fuzzy Hash: 16015AB104020AEFDF128F64EC44AEB3FACEF153A4F004436F954E6220D235D968DBA5
                                                                    Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Program Files (x86)\Ortelia Curator,?), ref: 00401E07
                                                                    Strings
                                                                    • C:\Program Files (x86)\Ortelia Curator, xrefs: 00401DF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteShell
                                                                    • String ID: C:\Program Files (x86)\Ortelia Curator
                                                                    • API String ID: 587946157-387673481
                                                                    • Opcode ID: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
                                                                    • Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
                                                                    • Opcode Fuzzy Hash: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
                                                                    • Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318
                                                                    Function 00402267 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString
                                                                    • String ID: !N~
                                                                    • API String ID: 1096422788-529124213
                                                                    • Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                                                    • Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
                                                                    • Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                                                    • Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55
                                                                    Function 00403D97 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(00000408,?,00000000,004039F9), ref: 00403DB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: x
                                                                    • API String ID: 3850602802-2363233923
                                                                    • Opcode ID: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
                                                                    • Instruction ID: ab0c8c299765955ccbfa59721f842daf732f2f91f0a416ba9cb054cc648477c1
                                                                    • Opcode Fuzzy Hash: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
                                                                    • Instruction Fuzzy Hash: 4FC01271A84201EADA209B02DE00B06BA71EBA4702F508039F385200B186706822DB0D
                                                                    Function 004055E0 Relevance: 3.0, APIs: 2, Instructions: 46stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Ortelia Curator 1.3 Setup,NSIS Error), ref: 00405A19
                                                                      • Part of subcall function 00405593: CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004055A1
                                                                      • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
                                                                      • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5
                                                                    • lstrlenA.KERNEL32(0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 00405633
                                                                    • GetFileAttributesA.KERNELBASE(0042B3E8,0042B3E8,0042B3E8,0042B3E8,0042B3E8,0042B3E8,00000000,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 00405643
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                    • String ID:
                                                                    • API String ID: 3248276644-0
                                                                    • Opcode ID: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
                                                                    • Instruction ID: cbb7be82a93a6dd192d11d13e0df5a6c8cbb76871d8c278764bccb9a445afede
                                                                    • Opcode Fuzzy Hash: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
                                                                    • Instruction Fuzzy Hash: B5F02825205D6132D622363A1C49BAF1A56CD833247980D3BF854B12C6DB3D8943EE6E
                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                                    • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                                                                    • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                                    • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                                                                    Function 00404E7C Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 00404E8C
                                                                      • Part of subcall function 00403E0A: SendMessageA.USER32(0002048E,00000000,00000000,00000000), ref: 00403E1C
                                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 00404ED8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMessageSendUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2896919175-0
                                                                    • Opcode ID: 40dbed6342c342f19cf155c60ec5393d5941e5f8c4ce0c4d617a2ddd15e81d86
                                                                    • Instruction ID: 553340d25051964c1d9f2091c6121c40533f6be98ef284e5afc8434be7077bea
                                                                    • Opcode Fuzzy Hash: 40dbed6342c342f19cf155c60ec5393d5941e5f8c4ce0c4d617a2ddd15e81d86
                                                                    • Instruction Fuzzy Hash: 33F096B3A0820086E71197A6DD01B567BA4BBD4312F55403AFF45622E1D775584286DD
                                                                    Function 00402866 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,0000000B,?), ref: 00402875
                                                                    • InvalidateRect.USER32(?), ref: 00402885
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateMessageRectSend
                                                                    • String ID:
                                                                    • API String ID: 909852535-0
                                                                    • Opcode ID: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
                                                                    • Instruction ID: 5d37e61976acf5bdbec0b869d18ae9d7eae5027ec9d1abcfdb12a567b3c3e37f
                                                                    • Opcode Fuzzy Hash: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
                                                                    • Instruction Fuzzy Hash: 7AE08CB2B40104AFEB10DB94EE85DAE7BBAEB40349B14007AF602F0060D2341D10CA28
                                                                    Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401DB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnableShow
                                                                    • String ID:
                                                                    • API String ID: 1136574915-0
                                                                    • Opcode ID: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
                                                                    • Instruction ID: 9da135c70202b86661629657fe57a258e31507742a425f579c1fc233a54c13c2
                                                                    • Opcode Fuzzy Hash: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
                                                                    • Instruction Fuzzy Hash: 62E0CD72B08110DBD710F7B45D8995D3664DB40369B10453BF503F50C1D2789C4196EE
                                                                    Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\CuratorStandardSetup.exe,80000000,00000003), ref: 004056E7
                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                                    • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                                                    • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                                    • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                                                    Function 0040347B Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\nss68C1.tmp\, xrefs: 0040349A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nss68C1.tmp\
                                                                    • API String ID: 2962429428-1178210073
                                                                    • Opcode ID: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
                                                                    • Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
                                                                    • Opcode Fuzzy Hash: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
                                                                    • Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E
                                                                    Function 004056C4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(?,004054CF,?,?,?), ref: 004056C8
                                                                    • SetFileAttributesA.KERNELBASE(?,00000000), ref: 004056DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                                    • Instruction ID: 8174f72b6c2f00669cb3d5f93c0fb6c6646d93779de37800628d5af5c47e1667
                                                                    • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                                    • Instruction Fuzzy Hash: C7C002B1808501AAD6015B24DF0D81E7A66EB50361B508F25F569A00F0C7355866DA1A
                                                                    Function 00402223 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040225C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringWrite
                                                                    • String ID:
                                                                    • API String ID: 390214022-0
                                                                    • Opcode ID: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                                                    • Instruction ID: 7f0f3d0bfb11d3a69440f7e30d7772d63b8707f304f836d716d69bda9ce5b450
                                                                    • Opcode Fuzzy Hash: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                                                    • Instruction Fuzzy Hash: 31E04871F002656BDBA07AF14F8D97F115C7B84344F14027EBA15762C6E9BC4D416169
                                                                    Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                                                    • Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
                                                                    • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                                                    • Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5
                                                                    Function 00403DBE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403DD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText
                                                                    • String ID:
                                                                    • API String ID: 3367045223-0
                                                                    • Opcode ID: 7e164e1c66a915e30d223461008d5fa17167a88358ef8e28386554e2591d64e1
                                                                    • Instruction ID: 1da1af2c7098a7a5c47cb9e65cfb44b89bee0289569f32b065f15b06c39939a7
                                                                    • Opcode Fuzzy Hash: 7e164e1c66a915e30d223461008d5fa17167a88358ef8e28386554e2591d64e1
                                                                    • Instruction Fuzzy Hash: 79C04C79248604BFD641A759DC42F1FB79DEF94315F00C52EB19CE11D1C63984209E26
                                                                    Function 00403E0A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(0002048E,00000000,00000000,00000000), ref: 00403E1C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
                                                                    • Instruction ID: 4a69275ab6afdcc9dd23c2635c3fa87663c4bda3d9f509ac91b66b343a6ea2c2
                                                                    • Opcode Fuzzy Hash: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
                                                                    • Instruction Fuzzy Hash: 0FC04C717443016AEA20DB51DE45F0777589754B01F548465B604A50D0C674E410D65D
                                                                    Function 00403DF3 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
                                                                    • Instruction ID: d5eec3387bf9f2af87c3deac1be3c081a68759b5cbc5052c90a1cd046c0f3978
                                                                    • Opcode Fuzzy Hash: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
                                                                    • Instruction Fuzzy Hash: BCB01275BC4201FBEE219B01DE09F457E62E764701F008074B305240F0C6B210A1DF0D
                                                                    Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,0000C3E4), ref: 004030BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                                                    • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
                                                                    • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                                                    • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
                                                                    Function 004052B1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText
                                                                    • String ID:
                                                                    • API String ID: 3367045223-0
                                                                    • Opcode ID: 43df701933cab5bcd323a2d68aab98c3cd00831fe5e0d5c124234d7c52a9b6ae
                                                                    • Instruction ID: 99685c6d7dbfb4e57570b61deccd27c07ade06b8ef5037af11b6248d9b5815a4
                                                                    • Opcode Fuzzy Hash: 43df701933cab5bcd323a2d68aab98c3cd00831fe5e0d5c124234d7c52a9b6ae
                                                                    • Instruction Fuzzy Hash: 6FB09276608200BFDA029B41DE04E0ABB62BB94712F00C424FB98240B082325422EF0A
                                                                    Function 00403DE0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,00403BBD), ref: 00403DEA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
                                                                    • Instruction ID: 5393fb3fd4ec66336373a3cea7bd514d8462fd9d014250aae94180e38f4c2131
                                                                    • Opcode Fuzzy Hash: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
                                                                    • Instruction Fuzzy Hash: AFA002755051009BCA515B50DF048457A61A754701B458475F1459017487315861EB6A

                                                                    Non-executed Functions

                                                                    Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404710
                                                                    • GetDlgItem.USER32(?,00000408), ref: 0040471D
                                                                    • GlobalAlloc.KERNEL32(00000040,00000004), ref: 00404769
                                                                    • LoadBitmapA.USER32(0000006E), ref: 0040477C
                                                                    • SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
                                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 004047D3
                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047DF
                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047F1
                                                                    • DeleteObject.GDI32(?), ref: 004047F6
                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404821
                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040482D
                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C2
                                                                    • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048ED
                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404901
                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404930
                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
                                                                    • ShowWindow.USER32(?,00000005), ref: 0040494F
                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A52
                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AB7
                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ACC
                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AF0
                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B16
                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 00404B2B
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00404B3B
                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BAB
                                                                    • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C54
                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C63
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
                                                                    • ShowWindow.USER32(?,00000000), ref: 00404CD1
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404CDC
                                                                    • ShowWindow.USER32(00000000), ref: 00404CE3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 1638840714-813528018
                                                                    • Opcode ID: 57f182740db5fe61732acf0e410570fe996ce2284a30397408fd5fbc89f17923
                                                                    • Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
                                                                    • Opcode Fuzzy Hash: 57f182740db5fe61732acf0e410570fe996ce2284a30397408fd5fbc89f17923
                                                                    • Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58
                                                                    Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
                                                                    • Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
                                                                    • Opcode Fuzzy Hash: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
                                                                    • Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A
                                                                    Function 00406128 Relevance: .3, Instructions: 334COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
                                                                    • Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
                                                                    • Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
                                                                    • Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44
                                                                    Function 004068FF Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
                                                                    • Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
                                                                    • Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
                                                                    • Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94
                                                                    Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextA.USER32(00000000,Ortelia Curator 1.3 Setup,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F$Ortelia Curator 1.3 Setup
                                                                    • API String ID: 941294808-1595582286
                                                                    • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                                    • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                                                                    • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                                    • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                                                                    Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                      • Part of subcall function 00405D2E: LoadLibraryA.KERNELBASE(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                      • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
                                                                    • GetShortPathNameA.KERNEL32(?,0042C170,00000400), ref: 004057B0
                                                                    • GetShortPathNameA.KERNEL32(00000000,0042BBE8,00000400), ref: 004057CD
                                                                    • wsprintfA.USER32 ref: 004057EB
                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004058AA
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1
                                                                      • Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
                                                                      • Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                                                    • String ID: %s=%s$[Rename]
                                                                    • API String ID: 3772915668-1727408572
                                                                    • Opcode ID: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
                                                                    • Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
                                                                    • Opcode Fuzzy Hash: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
                                                                    • Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD
                                                                    Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                                    • CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                                    • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                                    • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: "C:\Users\user\Desktop\CuratorStandardSetup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 589700163-3956143046
                                                                    • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                                                    • Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
                                                                    • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                                                    • Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D
                                                                    Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongA.USER32(?,000000EB), ref: 00403E42
                                                                    • GetSysColor.USER32(00000000), ref: 00403E5E
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E6A
                                                                    • SetBkMode.GDI32(?,?), ref: 00403E76
                                                                    • GetSysColor.USER32(?), ref: 00403E89
                                                                    • SetBkColor.GDI32(?,?), ref: 00403E99
                                                                    • DeleteObject.GDI32(?), ref: 00403EB3
                                                                    • CreateBrushIndirect.GDI32(?), ref: 00403EBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                                    • Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
                                                                    • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                                    • Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95
                                                                    Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404694
                                                                    • GetMessagePos.USER32 ref: 0040469C
                                                                    • ScreenToClient.USER32(?,?), ref: 004046B6
                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 004046C8
                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                                    • Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
                                                                    • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                                    • Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5
                                                                    Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
                                                                    • MulDiv.KERNEL32(05E42D57,00000064,05E42D5B), ref: 00402B81
                                                                    • wsprintfA.USER32 ref: 00402B91
                                                                    • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 00402B8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 88d0dac49edd4e43850ca6534a0273d45c9ec63cef5e7f7572ebdb890a3a35d4
                                                                    • Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
                                                                    • Opcode Fuzzy Hash: 88d0dac49edd4e43850ca6534a0273d45c9ec63cef5e7f7572ebdb890a3a35d4
                                                                    • Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99
                                                                    Function 00401D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401D22
                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                                                    • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                                                    • CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirect
                                                                    • String ID: MS Shell Dlg
                                                                    • API String ID: 3272661963-76309092
                                                                    • Opcode ID: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
                                                                    • Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
                                                                    • Opcode Fuzzy Hash: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
                                                                    • Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F
                                                                    Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402A9C
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402AC1
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Close$DeleteEnumOpen
                                                                    • String ID:
                                                                    • API String ID: 1912718029-0
                                                                    • Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
                                                                    • Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
                                                                    • Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
                                                                    • Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69
                                                                    Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?), ref: 00401CC5
                                                                    • GetClientRect.USER32(00000000,?), ref: 00401CD2
                                                                    • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                                                                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                                                                    • DeleteObject.GDI32(00000000), ref: 00401D10
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
                                                                    • Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
                                                                    • Opcode Fuzzy Hash: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
                                                                    • Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69
                                                                    Function 0040381E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowTextA.USER32(00000000,Ortelia Curator 1.3 Setup), ref: 004038B6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: TextWindow
                                                                    • String ID: 1033$C:\Users\user\AppData\Local\Temp\$Ortelia Curator 1.3 Setup
                                                                    • API String ID: 530164218-1461998620
                                                                    • Opcode ID: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
                                                                    • Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
                                                                    • Opcode Fuzzy Hash: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
                                                                    • Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98
                                                                    Function 00404CFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00404D30
                                                                    • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E
                                                                      • Part of subcall function 00403E0A: SendMessageA.USER32(0002048E,00000000,00000000,00000000), ref: 00403E1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID: $Admin
                                                                    • API String ID: 3748168415-1090614445
                                                                    • Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
                                                                    • Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
                                                                    • Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
                                                                    • Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9
                                                                    Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
                                                                    • lstrcatA.KERNEL32(?,00409010), ref: 0040551F
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 2659869361-3081826266
                                                                    • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                                                    • Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
                                                                    • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                                                    • Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE
                                                                    Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                                                    • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                                                    • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                                                                      • Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                    • String ID:
                                                                    • API String ID: 1404258612-0
                                                                    • Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
                                                                    • Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
                                                                    • Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
                                                                    • Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28
                                                                    Function 00405593 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextA.USER32(ES@,?,0042B3E8,00000000,004055F7,0042B3E8,0042B3E8,?,?,00000000,00405345,?,"C:\Users\user\Desktop\CuratorStandardSetup.exe",00000000), ref: 004055A1
                                                                    • CharNextA.USER32(00000000), ref: 004055A6
                                                                    • CharNextA.USER32(00000000), ref: 004055B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext
                                                                    • String ID: ES@
                                                                    • API String ID: 3213498283-1851447614
                                                                    • Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                                                    • Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
                                                                    • Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                                                    • Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA
                                                                    Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
                                                                    • GetTickCount.KERNEL32 ref: 00402BEF
                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
                                                                    • Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
                                                                    • Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
                                                                    • Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D
                                                                    Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
                                                                    • WriteFile.KERNEL32(00000000,?,State,00000000,?,?,00000000,00000011), ref: 004024FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: FileWritelstrlen
                                                                    • String ID: State
                                                                    • API String ID: 427699356-1649606143
                                                                    • Opcode ID: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
                                                                    • Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
                                                                    • Opcode Fuzzy Hash: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
                                                                    • Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D
                                                                    Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CuratorStandardSetup.exe,C:\Users\user\Desktop\CuratorStandardSetup.exe,80000000,00000003), ref: 0040554C
                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CuratorStandardSetup.exe,C:\Users\user\Desktop\CuratorStandardSetup.exe,80000000,00000003), ref: 0040555A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: CharPrevlstrlen
                                                                    • String ID: C:\Users\user\Desktop
                                                                    • API String ID: 2709904686-224404859
                                                                    • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                                    • Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
                                                                    • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                                    • Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD
                                                                    Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405678
                                                                    • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2238416016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2238379977.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238448503.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238488465.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2238596455.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_CuratorStandardSetup.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                                    • Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
                                                                    • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                                    • Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

                                                                    Execution Graph

                                                                    Execution Coverage:1.4%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:5.8%
                                                                    Total number of Nodes:607
                                                                    Total number of Limit Nodes:23
                                                                    execution_graph 102010 3e673a4 102069 3e66ed5 74 API calls 3 library calls 102010->102069 102012 3e673b7 102070 3e66c4f 102012->102070 102016 3e673d0 102089 3e6734f 68 API calls std::_String_base::_Xlen 102016->102089 102018 3e673df 102090 3e66ed5 74 API calls 3 library calls 102018->102090 102020 3e673eb 102021 3e66c4f 2 API calls 102020->102021 102022 3e673fb 102021->102022 102023 3e35e59 _realloc 66 API calls 102022->102023 102024 3e67404 102023->102024 102091 3e6734f 68 API calls std::_String_base::_Xlen 102024->102091 102026 3e67410 102092 3e66ed5 74 API calls 3 library calls 102026->102092 102028 3e6741c 102029 3e66c4f 2 API calls 102028->102029 102030 3e6742c 102029->102030 102031 3e35e59 _realloc 66 API calls 102030->102031 102032 3e67435 102031->102032 102093 3e6734f 68 API calls std::_String_base::_Xlen 102032->102093 102034 3e67441 102094 3e66ed5 74 API calls 3 library calls 102034->102094 102036 3e6744d 102037 3e66c4f 2 API calls 102036->102037 102038 3e6745d 102037->102038 102039 3e35e59 _realloc 66 API calls 102038->102039 102040 3e67466 102039->102040 102095 3e6734f 68 API calls std::_String_base::_Xlen 102040->102095 102042 3e67472 102096 3e66ed5 74 API calls 3 library calls 102042->102096 102044 3e6747e 102045 3e66c4f 2 API calls 102044->102045 102046 3e6748e 102045->102046 102047 3e35e59 _realloc 66 API calls 102046->102047 102048 3e67497 102047->102048 102097 3e6734f 68 API calls std::_String_base::_Xlen 102048->102097 102050 3e674a3 GetModuleHandleA CreateIcon 102098 3e6734f 68 API calls std::_String_base::_Xlen 102050->102098 102052 3e674d2 102099 3e66ed5 74 API calls 3 library calls 102052->102099 102054 3e674de 102055 3e66c4f 2 API calls 102054->102055 102056 3e674ee 102055->102056 102057 3e35e59 _realloc 66 API calls 102056->102057 102058 3e674f7 102057->102058 102100 3e6734f 68 API calls std::_String_base::_Xlen 102058->102100 102060 3e67503 102101 3e66ed5 74 API calls 3 library calls 102060->102101 102062 3e6750f 102063 3e66c4f 2 API calls 102062->102063 102064 3e6751f 102063->102064 102065 3e35e59 _realloc 66 API calls 102064->102065 102066 3e67528 102065->102066 102102 3e6734f 68 API calls std::_String_base::_Xlen 102066->102102 102068 3e67534 102069->102012 102071 3e66c5c 102070->102071 102072 3e66c58 102070->102072 102071->102072 102073 3e66c62 CreateIconFromResourceEx 102071->102073 102076 3e35e59 102072->102076 102073->102072 102074 3e66c8a 102073->102074 102074->102072 102075 3e66c94 CreateIconFromResource 102074->102075 102075->102072 102078 3e35e65 ___BuildCatchObjectHelper 102076->102078 102077 3e35ede _realloc ___BuildCatchObjectHelper 102077->102016 102078->102077 102088 3e35ea4 102078->102088 102103 3e3b67e 66 API calls 2 library calls 102078->102103 102080 3e35eb9 RtlFreeHeap 102080->102077 102081 3e35ecb 102080->102081 102106 3e3a1c2 66 API calls _raise 102081->102106 102083 3e35ed0 GetLastError 102083->102077 102084 3e35e96 102105 3e35eaf RtlLeaveCriticalSection _raise 102084->102105 102085 3e35e7c ___sbh_find_block 102085->102084 102104 3e3b722 VirtualFree VirtualFree HeapFree 102085->102104 102088->102077 102088->102080 102089->102018 102090->102020 102091->102026 102092->102028 102093->102034 102094->102036 102095->102042 102096->102044 102097->102050 102098->102052 102099->102054 102100->102060 102101->102062 102102->102068 102103->102085 102104->102084 102105->102088 102106->102083 102107 3e21e90 102108 3e21ed3 102107->102108 102109 3e21ee7 102107->102109 102296 3e1af71 67 API calls 2 library calls 102108->102296 102121 3e236a8 102109->102121 102113 3e21f3e 102141 3e1e100 102113->102141 102116 3e21f81 102120 3e21fb0 102116->102120 102297 3e1ddc0 78 API calls 102116->102297 102119 3e22171 102298 3e36878 102120->102298 102123 3e236b0 102121->102123 102124 3e21f09 102123->102124 102306 3e35d96 102123->102306 102124->102113 102125 3e1d650 102124->102125 102340 3e179b1 102125->102340 102127 3e1d6b7 102343 3e1f410 102127->102343 102129 3e1d6d5 GetVersionExA 102130 3e1d715 102129->102130 102131 3e236a8 std::_String_base::_Xlen 66 API calls 102130->102131 102132 3e1d775 102131->102132 102136 3e1d79a 102132->102136 102354 3e1ab61 68 API calls 102132->102354 102134 3e36878 __fltout2 5 API calls 102135 3e1dac3 102134->102135 102135->102113 102137 3e236a8 std::_String_base::_Xlen 66 API calls 102136->102137 102139 3e1d996 102136->102139 102138 3e1d953 102137->102138 102138->102139 102355 3e15c31 GetTickCount GetTickCount 102138->102355 102139->102134 102142 3e1e177 102141->102142 102143 3e236a8 std::_String_base::_Xlen 66 API calls 102142->102143 102144 3e1e1c9 102143->102144 102145 3e35d96 _malloc 66 API calls 102144->102145 102148 3e1e28a 102144->102148 102145->102148 102146 3e1e2a2 102146->102116 102147 3e1e30a 102150 3e1f410 13 API calls 102147->102150 102148->102146 102148->102147 102427 3e15ce1 67 API calls 2 library calls 102148->102427 102151 3e1e33e 102150->102151 102152 3e1e494 102151->102152 102153 3e1e358 102151->102153 102156 3e1e4a4 102152->102156 102157 3e1e53a 102152->102157 102154 3e1e368 102153->102154 102155 3e1edfa 102153->102155 102158 3e1e378 102154->102158 102159 3e1e40e 102154->102159 102162 3e1ee09 102155->102162 102171 3e35e59 _realloc 66 API calls 102155->102171 102163 3e1eb33 102156->102163 102164 3e1e4b4 102156->102164 102160 3e1e546 102157->102160 102161 3e1e58b 102157->102161 102167 3e1ec35 102158->102167 102168 3e1e388 102158->102168 102165 3e1e41a 102159->102165 102166 3e1e45f 102159->102166 102169 3e1e556 102160->102169 102170 3e1e858 102160->102170 102173 3e1e59b 102161->102173 102174 3e1ec6f 102161->102174 102466 3e20131 68 API calls 4 library calls 102162->102466 102447 3e18bf1 FindWindowA GetWindowThreadProcessId OpenProcess TerminateProcess CloseHandle 102163->102447 102175 3e1e4c0 102164->102175 102176 3e1e505 102164->102176 102165->102146 102196 3e1e43a 102165->102196 102209 3e1eabb 102165->102209 102166->102146 102197 3e1e47f 102166->102197 102232 3e1eee9 102166->102232 102457 3e205c1 GetModuleHandleA GetProcAddress RaiseException __CxxThrowException@8 102167->102457 102181 3e1e394 102168->102181 102193 3e1e3d9 102168->102193 102182 3e1e566 102169->102182 102183 3e1e83e 102169->102183 102202 3e35d96 _malloc 66 API calls 102170->102202 102171->102162 102173->102146 102429 3e1d0c0 66 API calls _memcmp 102173->102429 102460 3e1ce00 __VEC_memcpy RaiseException _realloc __CxxThrowException@8 102174->102460 102175->102146 102198 3e1e4f0 102175->102198 102199 3e1ec5f 102175->102199 102179 3e1ec25 102176->102179 102180 3e1e515 102176->102180 102456 3e20501 GetModuleHandleA GetProcAddress RaiseException __CxxThrowException@8 102179->102456 102180->102146 102200 3e1ed08 102180->102200 102187 3e1ec15 102181->102187 102188 3e1e3a4 102181->102188 102189 3e1e824 102182->102189 102190 3e1e576 102182->102190 102438 3e1e040 67 API calls 2 library calls 102183->102438 102455 3e20441 8 API calls __CxxThrowException@8 102187->102455 102204 3e1e3b4 102188->102204 102205 3e1e666 102188->102205 102437 3e1cd50 66 API calls _realloc 102189->102437 102190->102146 102364 3e202e1 102190->102364 102192 3e1e606 102428 3e1ff71 72 API calls 2 library calls 102192->102428 102193->102192 102194 3e1e3f9 102193->102194 102195 3e1ec7f 102193->102195 102194->102146 102194->102192 102461 3e1d580 VirtualProtect RaiseException __CxxThrowException@8 102195->102461 102196->102146 102448 3e36687 102196->102448 102197->102146 102211 3e1ee3c 102197->102211 102218 3e35e59 _realloc 66 API calls 102197->102218 102198->102146 102430 3e1d440 114 API calls 102198->102430 102459 3e206a1 RaiseException __CxxThrowException@8 102199->102459 102462 3e1fcc1 5 API calls __CxxThrowException@8 102200->102462 102210 3e1e87d 102202->102210 102213 3e1ec45 102204->102213 102214 3e1e3c4 102204->102214 102431 3e1cbe0 66 API calls _malloc 102205->102431 102445 3e18501 106 API calls _printf 102209->102445 102234 3e1e8eb 102210->102234 102439 3e366c6 RaiseException 102210->102439 102390 3e1f370 102211->102390 102458 3e1deb0 80 API calls 102213->102458 102214->102146 102369 3e1cf70 102214->102369 102218->102211 102219 3e1e683 102228 3e1e68c 102219->102228 102222 3e1ed3e 102233 3e1db30 78 API calls 102222->102233 102240 3e1e62d 102222->102240 102432 3e16bd0 70 API calls 102228->102432 102241 3e1ef77 102232->102241 102248 3e35e59 _realloc 66 API calls 102232->102248 102250 3e1ef86 102232->102250 102236 3e1ed5b 102233->102236 102440 3e16bd0 70 API calls 102234->102440 102463 3e374a6 102236->102463 102238 3e1e6dc 102239 3e1e6ef 102238->102239 102275 3e1e72d _strlen 102238->102275 102433 3e16dd0 67 API calls 2 library calls 102239->102433 102240->102146 102249 3e35d96 _malloc 66 API calls 102241->102249 102243 3e1f071 102258 3e1f077 102243->102258 102259 3e1f086 102243->102259 102244 3e1f025 102253 3e1f02b 102244->102253 102254 3e1f03a 102244->102254 102245 3e1f04b 102255 3e1f051 102245->102255 102256 3e1f060 102245->102256 102246 3e1efff 102251 3e1f005 102246->102251 102252 3e1f014 102246->102252 102247 3e1eed2 102247->102146 102263 3e35e59 _realloc 66 API calls 102247->102263 102248->102241 102249->102250 102250->102146 102250->102243 102250->102244 102250->102245 102250->102246 102467 3e1f230 66 API calls 2 library calls 102251->102467 102468 3e1f230 66 API calls 2 library calls 102252->102468 102469 3e1f280 66 API calls 2 library calls 102253->102469 102470 3e1f280 66 API calls 2 library calls 102254->102470 102471 3e1f2d0 66 API calls 2 library calls 102255->102471 102472 3e1f2d0 66 API calls 2 library calls 102256->102472 102473 3e1f320 66 API calls 2 library calls 102258->102473 102474 3e1f320 66 API calls 2 library calls 102259->102474 102260 3e1eec0 102408 3e1db30 102260->102408 102261 3e1eeac 102273 3e1db30 78 API calls 102261->102273 102263->102146 102270 3e1e91c 102276 3e1e92f 102270->102276 102280 3e1e970 _strlen 102270->102280 102273->102146 102434 3e16dd0 67 API calls 2 library calls 102275->102434 102441 3e16dd0 67 API calls 2 library calls 102276->102441 102277 3e374a6 66 API calls 102277->102247 102442 3e16dd0 67 API calls 2 library calls 102280->102442 102281 3e1e72b 102435 3e16d80 104 API calls 102281->102435 102285 3e1e96e 102443 3e16d80 104 API calls 102285->102443 102287 3e35e59 _realloc 66 API calls 102289 3e1e7d2 _memset 102287->102289 102288 3e1e75f 102288->102287 102288->102289 102436 3e16ce0 66 API calls _realloc 102289->102436 102290 3e35e59 _realloc 66 API calls 102291 3e1ea24 102290->102291 102444 3e16ce0 66 API calls _realloc 102291->102444 102293 3e1e9b4 102293->102290 102296->102109 102297->102120 102299 3e36882 IsDebuggerPresent 102298->102299 102300 3e36880 102298->102300 102616 3e45922 102299->102616 102300->102119 102303 3e3ca50 SetUnhandledExceptionFilter UnhandledExceptionFilter 102304 3e3ca75 GetCurrentProcess TerminateProcess 102303->102304 102305 3e3ca6d __invoke_watson 102303->102305 102304->102119 102305->102304 102307 3e35e43 102306->102307 102317 3e35da4 102306->102317 102334 3e3c4ba 66 API calls __CRT_INIT@12 102307->102334 102309 3e35e49 102335 3e3a1c2 66 API calls _raise 102309->102335 102312 3e35e4f 102312->102123 102315 3e35e07 RtlAllocateHeap 102315->102317 102317->102315 102318 3e35e3a 102317->102318 102319 3e35db9 102317->102319 102320 3e35e2e 102317->102320 102323 3e35e2c 102317->102323 102330 3e35d47 66 API calls 4 library calls 102317->102330 102331 3e3c4ba 66 API calls __CRT_INIT@12 102317->102331 102318->102123 102319->102317 102325 3e3c477 66 API calls 2 library calls 102319->102325 102326 3e3c2d7 66 API calls 7 library calls 102319->102326 102327 3e37260 102319->102327 102332 3e3a1c2 66 API calls _raise 102320->102332 102333 3e3a1c2 66 API calls _raise 102323->102333 102325->102319 102326->102319 102336 3e3723a GetModuleHandleA 102327->102336 102330->102317 102331->102317 102332->102323 102333->102318 102334->102309 102335->102312 102337 3e37249 GetProcAddress 102336->102337 102338 3e3725f ExitProcess 102336->102338 102337->102338 102339 3e37259 102337->102339 102339->102338 102356 3e19561 102340->102356 102362 3e35ef0 102343->102362 102345 3e1f47e VerSetConditionMask VerSetConditionMask VerifyVersionInfoA 102346 3e1f4fc GetModuleHandleA 102345->102346 102353 3e1f510 102345->102353 102347 3e1f515 GetProcAddress GetProcAddress 102346->102347 102346->102353 102348 3e1f542 102347->102348 102347->102353 102351 3e1f550 RtlAddVectoredExceptionHandler 102348->102351 102348->102353 102349 3e36878 __fltout2 5 API calls 102350 3e1f5e8 102349->102350 102350->102129 102352 3e1f569 KiUserExceptionDispatcher 102351->102352 102351->102353 102352->102353 102353->102349 102354->102136 102355->102139 102357 3e35d96 _malloc 66 API calls 102356->102357 102358 3e1956c 102357->102358 102359 3e179bf 102358->102359 102361 3e38c68 68 API calls 4 library calls 102358->102361 102359->102127 102361->102359 102363 3e35efc __VEC_memzero 102362->102363 102363->102345 102475 3e20251 GetVersion 102364->102475 102366 3e20305 102366->102146 102370 3e1cfa5 102369->102370 102373 3e1d07c 102369->102373 102371 3e35d96 _malloc 66 API calls 102370->102371 102372 3e1cfb5 102371->102372 102374 3e1cfc4 GetModuleFileNameA 102372->102374 102375 3e1d007 102372->102375 102380 3e1d08b 102373->102380 102492 3e17db1 66 API calls _calloc 102373->102492 102378 3e1cfe7 102374->102378 102382 3e1cfe9 102374->102382 102376 3e236a8 std::_String_base::_Xlen 66 API calls 102375->102376 102379 3e1d00e 102376->102379 102378->102375 102383 3e1d02d 102379->102383 102485 3eba1d0 CreateFileA 102379->102485 102446 3e1d1f0 66 API calls 3 library calls 102380->102446 102382->102372 102491 3e362d5 72 API calls 9 library calls 102382->102491 102385 3e35e59 _realloc 66 API calls 102383->102385 102386 3e1d058 102385->102386 102386->102373 102387 3e1db30 78 API calls 102386->102387 102388 3e1d075 102387->102388 102389 3e374a6 66 API calls 102388->102389 102389->102373 102391 3e36687 _calloc 66 API calls 102390->102391 102392 3e1ee79 102391->102392 102393 3e3399b SetErrorMode SetErrorMode 102392->102393 102499 3e2520b 102393->102499 102398 3e2520b ctype 97 API calls 102399 3e339c9 102398->102399 102400 3e339e8 102399->102400 102512 3e3381c 102399->102512 102401 3e2520b ctype 97 API calls 102400->102401 102403 3e339ed 102401->102403 102404 3e339f9 GetModuleHandleA 102403->102404 102534 3e25ed8 99 API calls ctype 102403->102534 102406 3e1ee83 102404->102406 102407 3e33a08 GetProcAddress 102404->102407 102406->102247 102406->102260 102406->102261 102407->102406 102409 3e1f410 13 API calls 102408->102409 102411 3e1db3e 102409->102411 102410 3e1dc68 102414 3e1dc8a 102410->102414 102415 3e35e59 _realloc 66 API calls 102410->102415 102416 3e1dc24 102411->102416 102562 3eba190 102411->102562 102413 3e35e59 _realloc 66 API calls 102413->102410 102417 3e1dcac 102414->102417 102418 3e35e59 _realloc 66 API calls 102414->102418 102415->102414 102416->102410 102416->102413 102419 3e1dcce 102417->102419 102420 3e35e59 _realloc 66 API calls 102417->102420 102418->102417 102421 3e1dcf0 102419->102421 102422 3e35e59 _realloc 66 API calls 102419->102422 102420->102419 102423 3e1dd06 VirtualProtect 102421->102423 102426 3e1dd32 102421->102426 102422->102421 102423->102426 102424 3e1dd90 102424->102277 102425 3e35e59 _realloc 66 API calls 102425->102424 102426->102424 102426->102425 102427->102147 102428->102240 102429->102146 102430->102146 102431->102219 102432->102238 102433->102281 102434->102281 102435->102288 102436->102240 102437->102146 102438->102146 102439->102234 102440->102270 102441->102285 102442->102285 102443->102293 102444->102240 102445->102146 102446->102146 102447->102146 102569 3e36569 102448->102569 102450 3e3669f 102454 3e366be 102450->102454 102582 3e3a1c2 66 API calls _raise 102450->102582 102452 3e366b5 102452->102454 102583 3e3a1c2 66 API calls _raise 102452->102583 102454->102146 102455->102146 102456->102146 102457->102146 102458->102146 102459->102146 102460->102146 102461->102240 102462->102222 102590 3e373c4 102463->102590 102465 3e374b3 102465->102240 102466->102146 102467->102146 102468->102146 102469->102146 102470->102146 102471->102146 102472->102146 102473->102146 102474->102146 102476 3e20260 102475->102476 102477 3e2029c 102475->102477 102478 3e20276 CreateFileA 102476->102478 102479 3e202b2 CreateFileA 102477->102479 102480 3e2029a 102478->102480 102481 3e20289 CloseHandle 102478->102481 102482 3e202d6 102479->102482 102483 3e202c5 CloseHandle 102479->102483 102480->102482 102481->102482 102482->102366 102484 3e366c6 RaiseException 102482->102484 102483->102482 102484->102366 102486 3eba1ff GetLastError 102485->102486 102487 3eba22c 102485->102487 102489 3eba221 102486->102489 102493 3eba0f0 GetFileSize CreateFileMappingA 102487->102493 102489->102383 102490 3eba23a 102490->102383 102491->102382 102492->102380 102494 3eba11f GetLastError 102493->102494 102495 3eba145 MapViewOfFile 102493->102495 102498 3eba13f 102494->102498 102496 3eba15b GetLastError 102495->102496 102497 3eba17b 102495->102497 102496->102497 102497->102490 102498->102490 102535 3e24743 102499->102535 102501 3e2521a 102502 3e2523d 102501->102502 102544 3e2433a 8 API calls 3 library calls 102501->102544 102504 3e248cd 102502->102504 102505 3e247f0 102504->102505 102506 3e248f1 GetModuleFileNameW 102505->102506 102507 3e2491c 102506->102507 102511 3e24930 102506->102511 102509 3e24926 SetLastError 102507->102509 102507->102511 102508 3e36878 __fltout2 5 API calls 102510 3e249b2 102508->102510 102509->102511 102510->102398 102511->102508 102513 3e2520b ctype 97 API calls 102512->102513 102514 3e33841 GetModuleFileNameA 102513->102514 102515 3e33869 102514->102515 102516 3e33872 PathFindExtensionA 102515->102516 102554 3e2fe97 RaiseException __CxxThrowException@8 102515->102554 102518 3e33886 102516->102518 102519 3e3388b 102516->102519 102555 3e2fe97 RaiseException __CxxThrowException@8 102518->102555 102556 3e337de 80 API calls ctype 102519->102556 102522 3e338a5 102523 3e338ae 102522->102523 102557 3e2fe97 RaiseException __CxxThrowException@8 102522->102557 102532 3e338c0 102523->102532 102558 3e3ad54 66 API calls 4 library calls 102523->102558 102527 3e33983 102528 3e36878 __fltout2 5 API calls 102527->102528 102531 3e33993 102528->102531 102531->102400 102532->102527 102533 3e3ad54 66 API calls __strdup 102532->102533 102559 3e2413d 102 API calls ctype 102532->102559 102560 3e314a0 66 API calls _strcpy_s 102532->102560 102561 3e3ace3 66 API calls __mbsnbcmp_l 102532->102561 102533->102532 102534->102404 102540 3e2474f __EH_prolog3 102535->102540 102536 3e2479d 102545 3e242d3 RtlEnterCriticalSection 102536->102545 102540->102536 102552 3e237d1 2 API calls 4 library calls 102540->102552 102541 3e247c3 std::_String_base::_Xlen 102541->102501 102542 3e247b0 102553 3e245f8 87 API calls 4 library calls 102542->102553 102544->102501 102546 3e24311 RtlLeaveCriticalSection 102545->102546 102547 3e242ea 102545->102547 102549 3e2431a 102546->102549 102547->102546 102548 3e242ef TlsGetValue 102547->102548 102548->102546 102550 3e242fb 102548->102550 102549->102541 102549->102542 102550->102546 102551 3e24300 RtlLeaveCriticalSection 102550->102551 102551->102549 102552->102540 102553->102541 102556->102522 102558->102532 102559->102532 102560->102532 102561->102532 102563 3eba19b UnmapViewOfFile 102562->102563 102564 3eba1a2 102562->102564 102563->102564 102565 3eba1af FindCloseChangeNotification 102564->102565 102566 3eba1b2 102564->102566 102565->102566 102567 3eba1c3 102566->102567 102568 3eba1c0 CloseHandle 102566->102568 102567->102416 102568->102567 102570 3e36575 ___BuildCatchObjectHelper 102569->102570 102571 3e365ac _memset 102570->102571 102572 3e3658d 102570->102572 102576 3e3661e RtlAllocateHeap 102571->102576 102577 3e365a2 ___BuildCatchObjectHelper 102571->102577 102586 3e3b67e 66 API calls 2 library calls 102571->102586 102587 3e3becb 5 API calls 2 library calls 102571->102587 102588 3e36665 RtlLeaveCriticalSection _raise 102571->102588 102589 3e3c4ba 66 API calls __CRT_INIT@12 102571->102589 102584 3e3a1c2 66 API calls _raise 102572->102584 102574 3e36592 102585 3e3c846 66 API calls 2 library calls 102574->102585 102576->102571 102577->102450 102582->102452 102583->102454 102584->102574 102586->102571 102587->102571 102588->102571 102589->102571 102591 3e373d0 ___BuildCatchObjectHelper 102590->102591 102609 3e3b67e 66 API calls 2 library calls 102591->102609 102593 3e373d7 102594 3e37456 _abort 102593->102594 102595 3e373fb 102593->102595 102614 3e37491 RtlLeaveCriticalSection _raise 102594->102614 102610 3e3d7f6 66 API calls __CRT_INIT@12 102595->102610 102597 3e37472 102599 3e3748e ___BuildCatchObjectHelper 102597->102599 102615 3e3b5a6 RtlLeaveCriticalSection 102597->102615 102599->102465 102600 3e37406 102611 3e3d7f6 66 API calls __CRT_INIT@12 102600->102611 102603 3e37485 102604 3e37260 _malloc 3 API calls 102603->102604 102604->102599 102605 3e37446 _abort 102605->102594 102606 3e37414 102606->102605 102612 3e3d7ed 66 API calls __initp_misc_cfltcvt_tab 102606->102612 102613 3e3d7f6 66 API calls __CRT_INIT@12 102606->102613 102609->102593 102610->102600 102611->102606 102612->102606 102613->102606 102614->102597 102615->102603 102616->102303 102617 3e21e10 102618 3e21e1c GetModuleHandleA GetProcAddress 102617->102618 102619 3e21e6d MessageBoxA 102617->102619 102621 3e21e61 102618->102621 102622 3e21e4a NtSetInformationProcess 102618->102622 102620 3e21e66 102619->102620 102624 3e13a31 66 API calls std::_String_base::_Xlen 102621->102624 102622->102621 102624->102620 102625 3e14b35 102626 3e14b3e 102625->102626 102627 3e14b42 102626->102627 102629 3e36988 67 API calls 3 library calls 102626->102629 102629->102627 102630 3e26d25 KiUserCallbackDispatcher GetSystemMetrics GetSystemMetrics GetSystemMetrics 102631 3e26d5a 102630->102631 102632 419228 102633 419390 102632->102633 102634 419243 102632->102634 102637 4192ae GetModuleHandleA 102634->102637 102640 4192c8 GetProcAddress 102637->102640 102641 4192d5 102640->102641 102650 4192ed GetProcAddress 102641->102650 102643 4192e0 102644 4192ed GetProcAddress 102643->102644 102647 419338 102643->102647 102645 4194af 102644->102645 102646 4192fa VirtualAlloc GetTickCount 102645->102646 102646->102647 102648 4193b3 GetModuleHandleA GetProcAddress 102647->102648 102649 41937d 102648->102649 102656 4194af 102650->102656 102653 419338 102658 4193b3 102653->102658 102657 4192fa VirtualAlloc GetTickCount 102656->102657 102657->102653 102659 4193c1 102658->102659 102660 4193d1 GetModuleHandleA 102659->102660 102661 41937d 102659->102661 102664 4193f3 102660->102664 102662 419405 GetProcAddress 102663 41941b 102662->102663 102662->102664 102663->102661 102664->102659 102664->102662 102665 3e88821 102678 3e883eb CoInitialize 102665->102678 102670 3e88839 102671 3e8886c GetFileAttributesA 102671->102670 102672 3e8888c 102671->102672 102687 3e88417 102672->102687 102673 3e888c6 102673->102670 102704 3e885eb MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysFreeString 102673->102704 102679 3e883fa 102678->102679 102679->102670 102680 3e881b6 GetVersionExA 102679->102680 102681 3e881dd 102680->102681 102685 3e881d6 102680->102685 102682 3e8823a __mbsstr_l 102681->102682 102683 3e881fb __mbsstr_l 102681->102683 102681->102685 102682->102685 102706 3e36f68 90 API calls _strtol 102682->102706 102683->102685 102705 3e36f68 90 API calls _strtol 102683->102705 102685->102670 102685->102671 102685->102673 102690 3e8843b 102687->102690 102688 3e88440 102688->102670 102693 3e88711 102688->102693 102689 3e884fe SysFreeString 102689->102688 102690->102688 102692 3e88450 102690->102692 102707 3e883d7 102690->102707 102692->102688 102692->102689 102694 3e88417 4 API calls 102693->102694 102695 3e88737 102694->102695 102696 3e883d7 3 API calls 102695->102696 102703 3e88750 102695->102703 102697 3e88763 102696->102697 102698 3e883d7 3 API calls 102697->102698 102698->102703 102699 3e8880b SysFreeString 102700 3e88810 102699->102700 102701 3e8881a 102700->102701 102702 3e88815 SysFreeString 102700->102702 102701->102670 102702->102701 102703->102699 102703->102700 102704->102670 102705->102685 102706->102685 102710 3e88397 MultiByteToWideChar SysAllocStringLen 102707->102710 102711 3e883cf 102710->102711 102712 3e883c4 MultiByteToWideChar 102710->102712 102711->102692 102712->102711 102713 3e2449e 102723 3e239de 102713->102723 102716 3e244da 102717 3e24502 GlobalFix 102716->102717 102718 3e244de 102716->102718 102721 3e24521 _memset 102717->102721 102719 3e244f3 RtlLeaveCriticalSection 102718->102719 102720 3e244e5 GlobalHandle GlobalFix 102718->102720 102720->102719 102722 3e24535 RtlLeaveCriticalSection 102721->102722 102724 3e239f1 ctype 102723->102724 102725 3e239fe GlobalAlloc 102724->102725 102727 3e239a3 79 API calls ctype 102724->102727 102725->102716 102728 3e3973d 102729 3e39750 GetProcessHeap RtlAllocateHeap 102728->102729 102730 3e39867 102728->102730 102733 3e39774 GetVersionExA 102729->102733 102745 3e3976d 102729->102745 102731 3e398a2 102730->102731 102732 3e3986d 102730->102732 102734 3e39900 102731->102734 102735 3e398a7 102731->102735 102740 3e3988c 102732->102740 102732->102745 102799 3e374c8 66 API calls _abort 102732->102799 102736 3e39784 GetProcessHeap HeapFree 102733->102736 102737 3e3978f GetProcessHeap HeapFree 102733->102737 102734->102745 102810 3e3db4b 78 API calls 2 library calls 102734->102810 102802 3e3d86d TlsGetValue 102735->102802 102736->102745 102739 3e397bb 102737->102739 102781 3e3c209 HeapCreate 102739->102781 102740->102745 102800 3e40394 67 API calls _realloc 102740->102800 102747 3e397f1 102747->102745 102750 3e397fa 102747->102750 102749 3e398b8 102749->102745 102808 3e3d7f6 66 API calls __CRT_INIT@12 102749->102808 102790 3e3dbb4 75 API calls 5 library calls 102750->102790 102751 3e39896 102801 3e3d89f 67 API calls __CRT_INIT@12 102751->102801 102755 3e397ff __RTC_Initialize 102760 3e39812 GetCommandLineA 102755->102760 102773 3e39803 102755->102773 102757 3e398d6 102761 3e398f4 102757->102761 102762 3e398dd 102757->102762 102792 3e4131f 76 API calls 2 library calls 102760->102792 102765 3e35e59 _realloc 66 API calls 102761->102765 102809 3e3d8dc 66 API calls 4 library calls 102762->102809 102780 3e39808 102765->102780 102766 3e39822 102793 3e40140 71 API calls 3 library calls 102766->102793 102768 3e398e4 GetCurrentThreadId 102768->102745 102769 3e3982c 102770 3e39830 102769->102770 102795 3e41266 111 API calls 3 library calls 102769->102795 102794 3e3d89f 67 API calls __CRT_INIT@12 102770->102794 102791 3e3c263 VirtualFree HeapFree HeapFree HeapDestroy 102773->102791 102774 3e3983c 102775 3e39850 102774->102775 102796 3e40ff3 110 API calls 6 library calls 102774->102796 102775->102780 102798 3e40394 67 API calls _realloc 102775->102798 102778 3e39845 102778->102775 102797 3e37332 74 API calls 4 library calls 102778->102797 102780->102745 102782 3e3c229 102781->102782 102783 3e3c22c 102781->102783 102782->102747 102811 3e3c1ae 66 API calls 3 library calls 102783->102811 102785 3e3c231 102786 3e3c25f 102785->102786 102812 3e3b6af RtlAllocateHeap 102785->102812 102786->102747 102788 3e3c245 102788->102786 102789 3e3c24a HeapDestroy 102788->102789 102789->102782 102790->102755 102791->102780 102792->102766 102793->102769 102795->102774 102796->102778 102797->102775 102798->102770 102799->102740 102800->102751 102803 3e3d880 102802->102803 102804 3e398ac 102802->102804 102813 3e3d7f6 66 API calls __CRT_INIT@12 102803->102813 102807 3e40e71 66 API calls __calloc_impl 102804->102807 102806 3e3d88b TlsSetValue 102806->102804 102807->102749 102808->102757 102809->102768 102810->102745 102811->102785 102812->102788 102813->102806

                                                                    Executed Functions

                                                                    Function 03E1F410 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1163 3e1f410-3e1f4f6 call 3e35ef0 VerSetConditionMask * 2 VerifyVersionInfoA 1166 3e1f5cb 1163->1166 1167 3e1f4fc-3e1f50e GetModuleHandleA 1163->1167 1168 3e1f5d0-3e1f5eb call 3e36878 1166->1168 1169 3e1f5cb call 3e11db0 1166->1169 1170 3e1f510 1167->1170 1171 3e1f515-3e1f540 GetProcAddress * 2 1167->1171 1169->1168 1170->1168 1172 3e1f542-3e1f549 1171->1172 1173 3e1f54b 1171->1173 1172->1173 1176 3e1f550-3e1f567 RtlAddVectoredExceptionHandler 1172->1176 1173->1168 1177 3e1f5b1-3e1f5c9 1176->1177 1178 3e1f569-3e1f588 KiUserExceptionDispatcher 1176->1178 1177->1168 1179 3e1f59a-3e1f5a7 1178->1179 1179->1177
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E1F479
                                                                    • VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 03E1F4B9
                                                                    • VerSetConditionMask.NTDLL(00000000,00000000,00000001,00000003), ref: 03E1F4D1
                                                                    • VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000,00000000), ref: 03E1F4EE
                                                                    • GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 03E1F501
                                                                    • GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 03E1F51E
                                                                    • GetProcAddress.KERNEL32(00000000,RemoveVectoredExceptionHandler), ref: 03E1F530
                                                                    Strings
                                                                    • Kernel32.dll, xrefs: 03E1F4FC
                                                                    • AddVectoredExceptionHandler, xrefs: 03E1F515
                                                                    • RemoveVectoredExceptionHandler, xrefs: 03E1F527
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressConditionMaskProc$HandleInfoModuleVerifyVersion_memset
                                                                    • String ID: AddVectoredExceptionHandler$Kernel32.dll$RemoveVectoredExceptionHandler
                                                                    • API String ID: 2949876956-401078599
                                                                    • Opcode ID: 613e07e1d2c5796207450befd445e57f4c9e2a31e5c853c1ddab58778f13540f
                                                                    • Instruction ID: b415af64111a64de7ba8a841c97bb9a3b8f7631d6f4d93701135db73b558244a
                                                                    • Opcode Fuzzy Hash: 613e07e1d2c5796207450befd445e57f4c9e2a31e5c853c1ddab58778f13540f
                                                                    • Instruction Fuzzy Hash: B0511AB0D41218AFDB10DF94DC49BDEBBB4FF48704F104299E519B6280D7B95A45CFA4
                                                                    Function 03E21E10 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37librarynativeloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1592 3e21e10-3e21e1a 1593 3e21e1c-3e21e48 GetModuleHandleA GetProcAddress 1592->1593 1594 3e21e6d-3e21e7b MessageBoxA 1592->1594 1596 3e21e61-3e21e6b call 3e13a31 1593->1596 1597 3e21e4a-3e21e5e NtSetInformationProcess 1593->1597 1595 3e21e81-3e21e89 1594->1595 1596->1595 1597->1596
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 03E21E29
                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationProcess), ref: 03E21E3B
                                                                    • NtSetInformationProcess.NTDLL(000000FF,00000022,00000002,00000004), ref: 03E21E5B
                                                                    • MessageBoxA.USER32(00000000,DllMain Failed!,DllMain,00000000), ref: 03E21E7B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleInformationMessageModuleProcProcess
                                                                    • String ID: DllMain$DllMain Failed!$NtSetInformationProcess$ntdll.dll
                                                                    • API String ID: 2026459987-2240195654
                                                                    • Opcode ID: b6b5660e9a1875b8a3f44e0c4193ef9374b1fff0e7f577c35b57e42a75eae888
                                                                    • Instruction ID: fe0d2dbaa95b9045b28ea41e37ff06d21165b9c1507d1405f2da5201f35bb911
                                                                    • Opcode Fuzzy Hash: b6b5660e9a1875b8a3f44e0c4193ef9374b1fff0e7f577c35b57e42a75eae888
                                                                    • Instruction Fuzzy Hash: 3F016974E40358FFDB10EFA0DD09BAEBBB8EF04715F508759E920AA285D7B05A44CB51
                                                                    Function 03E1D650 Relevance: 1.7, APIs: 1, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E1F410: _memset.LIBCMT ref: 03E1F479
                                                                      • Part of subcall function 03E1F410: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 03E1F4B9
                                                                      • Part of subcall function 03E1F410: VerSetConditionMask.NTDLL(00000000,00000000,00000001,00000003), ref: 03E1F4D1
                                                                      • Part of subcall function 03E1F410: VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000,00000000), ref: 03E1F4EE
                                                                      • Part of subcall function 03E1F410: GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 03E1F501
                                                                    • GetVersionExA.KERNEL32(00000094,03F6A3B0), ref: 03E1D6E6
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ConditionMaskVersion$HandleInfoModuleVerify_memset
                                                                    • String ID:
                                                                    • API String ID: 888963441-0
                                                                    • Opcode ID: 29e48359ae64ac36efca56a5c1660c27aa593775f2ce56b2346c7e61f3166fa6
                                                                    • Instruction ID: 4f015660de4ce3b57e4bcc8272594ad494114ae615b1d9677be906bb5095eb16
                                                                    • Opcode Fuzzy Hash: 29e48359ae64ac36efca56a5c1660c27aa593775f2ce56b2346c7e61f3166fa6
                                                                    • Instruction Fuzzy Hash: 48D17D74A01269CFEB64CF04C994F9AF7B2BB48304F1492DAD80D6B391C775AA85CF51
                                                                    Function 03E757ED Relevance: 93.8, APIs: 49, Strings: 4, Instructions: 1093memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 3e757ed-3e75831 call 3e35ef0 GlobalFix 3 3e75833 0->3 4 3e7583b-3e75845 0->4 5 3e75835-3e75836 3->5 6 3e75847-3e75849 4->6 7 3e7584b-3e75854 4->7 8 3e76518-3e7651d 5->8 6->5 9 3e75856-3e75867 7->9 10 3e7586a-3e7586c 7->10 9->10 11 3e75875-3e75885 10->11 12 3e7586e 10->12 13 3e75887-3e75895 GlobalAlloc 11->13 14 3e758be-3e758c7 11->14 12->11 15 3e75897-3e75899 13->15 16 3e7589e-3e758aa GlobalFix 13->16 17 3e758c9-3e758cc 14->17 18 3e758e8-3e758f4 14->18 20 3e764b6-3e764b7 15->20 21 3e758b3-3e758bb call 3e77327 16->21 22 3e758ac-3e758ae 16->22 17->18 23 3e758ce-3e758e6 call 3e7dbdc 17->23 19 3e758f6-3e758fe 18->19 19->19 24 3e75900-3e7591b call 3e7dbdc 19->24 26 3e76516-3e76517 20->26 21->14 22->20 23->24 32 3e75957-3e75959 24->32 33 3e7591d-3e75938 call 3e7dbdc 24->33 26->8 32->20 33->32 36 3e7593a-3e75955 call 3e7dbdc 33->36 36->32 39 3e7595e-3e75e5b call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 36->39 154 3e75e61-3e761f5 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 39->154 155 3e761f8-3e76204 call 3e744ed call 3e38d79 39->155 154->155 165 3e76206-3e76219 call 3e38d86 155->165 171 3e7621b-3e76220 165->171 173 3e76221-3e7622d 171->173 173->173 175 3e7622f-3e76233 173->175 177 3e76239-3e7624d 175->177 177->177 179 3e7624f-3e76259 177->179 180 3e763a2-3e763ab 179->180 181 3e7625f-3e76260 179->181 185 3e763ad-3e763be call 3e77512 180->185 186 3e763e9-3e763f4 call 3e7747d 180->186 183 3e76262-3e76264 181->183 184 3e76269-3e76277 181->184 183->20 189 3e7627a-3e7627e 184->189 201 3e763c1-3e763dc call 3e775da 185->201 197 3e763f6-3e763f8 186->197 198 3e763fd-3e7640c call 3e7dc3f 186->198 193 3e76280-3e7629a call 3ed064e 189->193 194 3e7629c-3e762c9 call 3e7765d 189->194 193->189 193->194 210 3e762cb-3e762ea 194->210 211 3e76339-3e76357 RegCreateKeyExA 194->211 197->20 209 3e76411-3e76422 call 3e7dc34 198->209 213 3e763e2-3e763e4 201->213 214 3e76499-3e764a0 201->214 235 3e76424-3e7642e call 3e7dc25 209->235 236 3e7646f-3e7648e call 3e77542 209->236 219 3e76322 210->219 220 3e762ec-3e762f1 210->220 216 3e76360-3e7637b RegSetValueExA 211->216 217 3e76359-3e7635b 211->217 213->20 225 3e764e3-3e764f0 GlobalUnWire 214->225 226 3e764a2-3e764b2 FlushFileBuffers call 3e774c6 214->226 223 3e7637d-3e76385 GetLastError 216->223 224 3e7638a-3e76395 RegCloseKey 216->224 217->20 221 3e76324-3e76335 219->221 228 3e762ff-3e76302 220->228 221->221 229 3e76337 221->229 223->20 224->225 233 3e7639b-3e7639d 224->233 231 3e76513-3e76515 225->231 232 3e764f2-3e7650d call 3e757ed GlobalFree 225->232 248 3e764b4 226->248 249 3e764b9-3e764c1 226->249 237 3e76304-3e76316 228->237 238 3e762f3-3e762fe 228->238 229->211 231->26 232->231 254 3e7650f-3e76511 232->254 233->20 235->236 251 3e76430-3e76439 GetLastError 236->251 252 3e76490 236->252 244 3e76318-3e76320 237->244 238->228 244->219 244->244 248->20 255 3e764c3-3e764cb call 3e7dc25 249->255 256 3e764cc-3e764db call 3e7dd34 249->256 251->213 259 3e7643b-3e76442 251->259 252->201 254->26 255->256 262 3e764e0 256->262 264 3e76495-3e76497 259->264 265 3e76444-3e76446 259->265 262->225 264->20 266 3e7645c-3e7646d PeekMessageA 265->266 266->236 268 3e76448-3e76456 TranslateMessage DispatchMessageA 266->268 268->266
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E75812
                                                                    • GlobalFix.KERNEL32(?), ref: 03E75824
                                                                    • GlobalAlloc.KERNELBASE(00000040,00000C30,?,?,?,?,?), ref: 03E7588A
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E7589F
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E764E6
                                                                    • GlobalFree.KERNEL32(?), ref: 03E76504
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFreeWire_memset
                                                                    • String ID: 38810806$SAA-482$YAP00667$software\classes\vdsp
                                                                    • API String ID: 397877402-187591039
                                                                    • Opcode ID: 0c608f8aade549aef82e79a12677280c80540488fb4387c8f42d1bc02749c257
                                                                    • Instruction ID: 888fa8703a62930cf73f9279d51a3545e09d28f416c6ffe268cb2509545a7d2d
                                                                    • Opcode Fuzzy Hash: 0c608f8aade549aef82e79a12677280c80540488fb4387c8f42d1bc02749c257
                                                                    • Instruction Fuzzy Hash: B28266B6C00619ABDF10EFA0CC88EEB777CEF05305F045676A959EB046E634A645CBB0
                                                                    Function 03E749F3 Relevance: 90.4, APIs: 46, Strings: 5, Instructions: 1146COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 325 3e749f3-3e74a3c call 3e35ef0 GlobalFix 328 3e74a46-3e74a52 325->328 329 3e74a3e-3e74a41 325->329 331 3e74a74-3e74a76 328->331 332 3e74a54-3e74a5a 328->332 330 3e757e7-3e757ec 329->330 334 3e74a7f-3e74a9e call 3e35ef0 331->334 335 3e74a78 331->335 332->331 333 3e74a5c-3e74a6f 332->333 336 3e757e6 333->336 339 3e74c16-3e74c1d 334->339 340 3e74aa4-3e74aa5 334->340 335->334 336->330 341 3e74c64-3e74c70 call 3e7747d 339->341 342 3e74c1f-3e74c32 call 3e77512 339->342 343 3e74aa7-3e74aa9 340->343 344 3e74aae-3e74abb 340->344 356 3e74c72-3e74c74 341->356 357 3e74c79-3e74c88 call 3e7dc3f 341->357 358 3e74c35-3e74c43 call 3e7757a 342->358 347 3e74e74-3e74e75 343->347 348 3e74abe-3e74ac2 344->348 351 3e757e5 347->351 352 3e74ac4-3e74ade call 3ed064e 348->352 353 3e74ae0-3e74b0d call 3e7765d 348->353 351->336 352->348 352->353 364 3e74b0f-3e74b2e 353->364 365 3e74b7e-3e74b9b RegOpenKeyExA 353->365 356->347 366 3e74c8d-3e74c9e call 3e7dc34 357->366 363 3e74c48-3e74c50 358->363 367 3e74c56-3e74c5f call 3e774c6 363->367 368 3e74d2a-3e74d31 363->368 369 3e74b66 364->369 370 3e74b30-3e74b35 364->370 372 3e74b9d-3e74ba4 call 3e778e4 365->372 373 3e74bc8-3e74be5 RegQueryValueExA 365->373 392 3e74ca0-3e74ca9 call 3e7dc25 366->392 393 3e74cea-3e74d15 call 3e77542 366->393 367->347 379 3e74d33-3e74d3c call 3e774c6 368->379 380 3e74d58-3e74d5c 368->380 381 3e74b68-3e74b79 369->381 378 3e74b43-3e74b46 370->378 394 3e74ba6-3e74bbf RegOpenKeyExA 372->394 395 3e74bc1-3e74bc3 372->395 376 3e74be7-3e74be9 373->376 377 3e74bee-3e74bf9 RegCloseKey 373->377 376->347 386 3e74c02-3e74c09 377->386 387 3e74bfb-3e74bfd 377->387 388 3e74b37-3e74b42 378->388 389 3e74b48-3e74b5a 378->389 404 3e74d45-3e74d4d 379->404 405 3e74d3e-3e74d40 379->405 385 3e74d62-3e74d7d 380->385 381->381 391 3e74b7b 381->391 385->385 396 3e74d7f-3e74d84 385->396 386->380 398 3e74c0f-3e74c11 386->398 387->347 388->378 399 3e74b5c-3e74b64 389->399 391->365 392->393 409 3e74d17 393->409 410 3e74cab-3e74cb4 GetLastError 393->410 394->373 394->395 395->347 402 3e74d85-3e74d91 396->402 398->347 399->369 399->399 402->402 408 3e74d93-3e74d95 402->408 404->380 407 3e74d4f-3e74d57 call 3e7dc25 404->407 405->347 407->380 414 3e74d97-3e74d99 408->414 415 3e74d9e-3e74da7 408->415 409->358 411 3e74cb6-3e74cbd 410->411 412 3e74d23-3e74d25 410->412 416 3e74cbf-3e74cc1 411->416 417 3e74d1c-3e74d1e 411->417 412->347 414->347 419 3e74dc3-3e74dc6 415->419 420 3e74da9-3e74db5 415->420 421 3e74cd7-3e74ce8 PeekMessageA 416->421 417->347 423 3e74de2-3e74df5 call 3e7dbdc 419->423 424 3e74dc8-3e74dd4 419->424 422 3e74db7-3e74dbf 420->422 421->393 427 3e74cc3-3e74cd1 TranslateMessage DispatchMessageA 421->427 422->422 428 3e74dc1 422->428 430 3e74dfa-3e74e20 call 3e7dbdc 423->430 425 3e74dd6-3e74dde 424->425 425->425 429 3e74de0 425->429 427->421 428->430 429->430 433 3e74e72 430->433 434 3e74e22-3e74e48 call 3e7dbdc 430->434 433->347 434->433 437 3e74e4a-3e74e70 call 3e7dbdc 434->437 437->433 440 3e74e7a-3e75375 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 437->440 555 3e7578f-3e7579b 440->555 556 3e7537b-3e75677 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 call 3e7dbdc call 3e77327 call 3e35ef0 440->556 557 3e757b6-3e757c2 call 3e744ed call 3e38d79 555->557 558 3e7579d-3e757ac 555->558 639 3e756be-3e756c6 556->639 640 3e75679-3e7567f 556->640 568 3e757c4-3e757d7 call 3e38d86 557->568 558->557 574 3e757d9-3e757e4 GlobalUnWire 568->574 574->351 642 3e75711-3e75718 639->642 643 3e756c8-3e756d0 639->643 640->639 641 3e75681-3e75687 640->641 641->639 647 3e75689-3e756b8 641->647 645 3e75731-3e75757 call 3e77327 call 3e35ef0 642->645 646 3e7571a-3e7572c call 3e7dbdc 642->646 643->642 644 3e756d2-3e756da 643->644 644->642 648 3e756dc-3e7570b 644->648 654 3e75770-3e7578c call 3e77327 call 3e35ef0 645->654 655 3e75759-3e7576b call 3e7dbdc 645->655 646->645 647->639 648->642 654->555 655->654
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global_memset
                                                                    • String ID: 38810806$SAA-482$YAP00667$[varPassword]$software\classes\vdsp
                                                                    • API String ID: 3633105071-1405487927
                                                                    • Opcode ID: 4e9a8de8a45e6b13c08b0aeec500490dd3689e2f90904e67b0d32598efd03529
                                                                    • Instruction ID: 41fe52cf4e27734935599846e1f69a43f042800709d69db580ff685df7d25dcf
                                                                    • Opcode Fuzzy Hash: 4e9a8de8a45e6b13c08b0aeec500490dd3689e2f90904e67b0d32598efd03529
                                                                    • Instruction Fuzzy Hash: B79249B6801218ABDF15DFA5CC84EDB77BCEF09305F1416B5E949AB046E631AB44CBB0
                                                                    Function 03E76FF5 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 267registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 661 3e76ff5-3e77022 call 3e3ae20 664 3e77024 661->664 665 3e7702b-3e77057 call 3ed11c0 661->665 664->665 668 3e77074 665->668 669 3e77059-3e77072 665->669 670 3e7707b-3e770a1 call 3e7e4bb RegOpenKeyExA 668->670 669->668 669->670 673 3e770a7-3e770c5 RegEnumKeyExA 670->673 674 3e77305-3e7731d call 3e76bbe 670->674 675 3e770c7-3e770cc 673->675 676 3e770d2-3e770eb RegQueryInfoKeyA 673->676 680 3e77322-3e77326 674->680 675->676 679 3e772fc-3e772ff RegCloseKey 675->679 678 3e770f1-3e770f4 676->678 676->679 678->679 681 3e770fa-3e7710a call 3e77d73 678->681 679->674 684 3e77113-3e77116 681->684 685 3e7710c-3e77111 681->685 686 3e77119-3e77125 684->686 685->684 685->686 687 3e772cb-3e772d8 RegCloseKey 686->687 688 3e7712b-3e7712e 686->688 691 3e772f7-3e772fa 687->691 692 3e772da-3e772f4 call 3e76bbe 687->692 689 3e77130-3e77145 call 3e76bbe 688->689 690 3e77159-3e77166 call 3e77d73 688->690 696 3e7714a-3e77154 689->696 700 3e7716f 690->700 701 3e77168-3e7716d 690->701 691->680 692->691 699 3e772bb-3e772c5 696->699 699->687 699->688 702 3e77171-3e77198 RegEnumKeyExA 700->702 701->700 701->702 703 3e771a6-3e771dc wsprintfA RegOpenKeyExA 702->703 704 3e7719a-3e771a0 702->704 703->699 705 3e771e2-3e77204 RegEnumKeyExA 703->705 704->699 704->703 705->699 706 3e7720a-3e77210 705->706 706->699 707 3e77216-3e7725e wsprintfA RegCloseKey RegOpenKeyExA 706->707 707->699 708 3e77260-3e77297 RegEnumValueA 707->708 709 3e772b6-3e772b9 RegCloseKey 708->709 710 3e77299-3e772b0 RegSetValueA 708->710 709->699 710->709
                                                                    APIs
                                                                    • _strncpy.LIBCMT ref: 03E77037
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,03F488E8,00000000,00000020,?,?,00000020), ref: 03E77099
                                                                    • RegEnumKeyExA.KERNELBASE(?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 03E770BD
                                                                    • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03E770E3
                                                                    • RegEnumKeyExA.KERNELBASE(?,?,?,00000000,00000000,00000000), ref: 03E7718E
                                                                    • wsprintfA.USER32 ref: 03E771B9
                                                                    • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?), ref: 03E771D4
                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000), ref: 03E771FC
                                                                    • wsprintfA.USER32 ref: 03E77230
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 03E77242
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 03E77256
                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000000), ref: 03E7728A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E772FF
                                                                    • RegCloseKey.KERNELBASE(?), ref: 03E772CE
                                                                      • Part of subcall function 03E76BBE: _memset.LIBCMT ref: 03E76BF5
                                                                      • Part of subcall function 03E76BBE: _memset.LIBCMT ref: 03E76C0A
                                                                      • Part of subcall function 03E76BBE: _memset.LIBCMT ref: 03E76C24
                                                                      • Part of subcall function 03E76BBE: _memset.LIBCMT ref: 03E76C39
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Enum_memset$CloseOpen$wsprintf$InfoQueryValue_strncpy
                                                                    • String ID: :CU:$:cu:$?
                                                                    • API String ID: 1724152268-2316672497
                                                                    • Opcode ID: 0d4c5016bb26ecb2d2c6dc8deca05af44964bfab8b733e5b047d054bbda7d79c
                                                                    • Instruction ID: 4d19dfc4a2022cc8fe9f0ddd637ec256eb7695d2b1fdb0ed84f35d2968ad4dec
                                                                    • Opcode Fuzzy Hash: 0d4c5016bb26ecb2d2c6dc8deca05af44964bfab8b733e5b047d054bbda7d79c
                                                                    • Instruction Fuzzy Hash: 81A1E5B290015DAFDF11DF94DC84DFEBBBDFB08348F1442A6F915A2120E7319A959BA0
                                                                    Function 03E7651E Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 328registrymemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 711 3e7651e-3e765c1 call 3e3ae20 call 3e35ef0 * 5 724 3e765c3-3e765ca 711->724 725 3e765d1-3e765f1 call 3e38e9e 711->725 724->725 728 3e765f7-3e765f8 725->728 729 3e767c6-3e767d8 call 3e7747d 725->729 731 3e7665a-3e7665c 728->731 732 3e765fa 728->732 736 3e76803-3e7680e call 3e74771 729->736 737 3e767da-3e767de 729->737 734 3e7679e-3e7679f 731->734 735 3e765fc-3e76605 732->735 740 3e76916-3e7691a 734->740 738 3e76607-3e7661e call 3ed064e 735->738 739 3e76620-3e7664f call 3e7765d 735->739 748 3e76813-3e76824 GlobalAlloc 736->748 741 3e767e0-3e767fa call 3e7ddca 737->741 742 3e7679c 737->742 738->735 738->739 750 3e766d6-3e766f8 RegOpenKeyExA 739->750 751 3e76655-3e76658 739->751 756 3e767fc 741->756 742->734 753 3e76826-3e76828 748->753 754 3e7682d-3e76838 GlobalFix 748->754 757 3e7671d-3e76724 call 3e778e4 750->757 758 3e766fa-3e76718 RegQueryValueExA 750->758 751->731 755 3e76661-3e76681 751->755 753->734 759 3e76841-3e7687a call 3e35ef0 * 2 call 3e77327 754->759 760 3e7683a-3e7683c 754->760 762 3e76683-3e7668b 755->762 763 3e766c1 755->763 756->748 764 3e767fe 756->764 771 3e76726-3e76729 757->771 772 3e76768-3e7676b 757->772 758->757 765 3e7671a 758->765 791 3e76883-3e76887 759->791 792 3e7687c 759->792 760->734 769 3e7669c-3e7669f 762->769 770 3e766c3-3e766d4 763->770 764->740 765->757 774 3e766a1-3e766b5 769->774 775 3e7668d-3e7669b 769->775 770->750 770->770 776 3e767a4-3e767c0 call 3e74771 RegCloseKey 771->776 777 3e7672b-3e76743 RegOpenKeyExA 771->777 772->776 779 3e7676d-3e76771 772->779 780 3e766b7-3e766bf 774->780 775->769 776->748 790 3e767c2-3e767c4 776->790 777->772 781 3e76745-3e76763 RegQueryValueExA 777->781 783 3e76793-3e76796 RegCloseKey 779->783 784 3e76773-3e76791 call 3e7ddca 779->784 780->763 780->780 781->772 786 3e76765 781->786 783->742 784->756 786->772 790->734 795 3e7688d-3e768a8 call 3e7dbdc 791->795 796 3e76889-3e7688b 791->796 794 3e7687e-3e76881 792->794 797 3e768a9-3e76905 call 3e77327 GlobalUnWire call 3e749f3 794->797 795->797 796->794 804 3e76907-3e7690f call 3e7453e 797->804 805 3e76911-3e76914 797->805 804->740 805->740
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E76544
                                                                    • _memset.LIBCMT ref: 03E76565
                                                                    • _memset.LIBCMT ref: 03E76579
                                                                    • _memset.LIBCMT ref: 03E76597
                                                                    • _memset.LIBCMT ref: 03E765AB
                                                                    • _sprintf.LIBCMT ref: 03E765E5
                                                                    • RegOpenKeyExA.KERNELBASE(00000080,?,00000000,000F003F,00000038), ref: 03E766EE
                                                                    • RegQueryValueExA.ADVAPI32(00000038,?,00000000,03EDDBF0,?,00000C30), ref: 03E76714
                                                                    • RegOpenKeyExA.KERNELBASE(00000080,?,00000000,00020119,00000038), ref: 03E7673F
                                                                    • RegQueryValueExA.ADVAPI32(00000038,?,00000000,03EDDBF0,?,00000C30), ref: 03E7675F
                                                                    • RegCloseKey.ADVAPI32(00000038), ref: 03E76796
                                                                    • RegCloseKey.ADVAPI32(00000038,?,03EDDBF0,00000002), ref: 03E767B8
                                                                    • GlobalAlloc.KERNEL32(00000040,000012F7,?,03EDDBF0,00000001), ref: 03E7681A
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E7682E
                                                                    • _memset.LIBCMT ref: 03E7684E
                                                                    • _memset.LIBCMT ref: 03E76860
                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 03E768E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Global$CloseOpenQueryValue$AllocWire_sprintf
                                                                    • String ID: software\classes\vdsp
                                                                    • API String ID: 2569556816-3218571349
                                                                    • Opcode ID: 74f7ae907198b0d8fbf3931fcba0fd57fc4fdc9134e94113274f4f7295bb8fc9
                                                                    • Instruction ID: c56d8db85a93ba1ad0dd01d72f214eab91fec2af3112444c29260866c2f4f253
                                                                    • Opcode Fuzzy Hash: 74f7ae907198b0d8fbf3931fcba0fd57fc4fdc9134e94113274f4f7295bb8fc9
                                                                    • Instruction Fuzzy Hash: E0C18DB280061DABDF21DFA4DC84EEFBBBCAF09348F1456A6E549E6140D6709B54CF60
                                                                    Function 03E74771 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 216fileregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 808 3e74771-3e7478d 809 3e74793-3e74794 808->809 810 3e7498e-3e74995 call 3e7459f 808->810 812 3e7484f-3e74856 call 3e7459f 809->812 813 3e7479a-3e7479f 809->813 819 3e74997-3e749a8 call 3e745cd 810->819 820 3e749e9-3e749f0 810->820 812->820 823 3e7485c-3e7487f call 3e7765d 812->823 815 3e74803-3e7480a call 3e7459f 813->815 816 3e747a1-3e747a6 813->816 815->820 829 3e74810-3e74821 call 3e745cd 815->829 816->820 821 3e747ac-3e747b3 call 3e7459f 816->821 819->820 834 3e749aa-3e749c9 CreateFileA 819->834 821->820 831 3e747b9-3e747ca call 3e745cd 821->831 836 3e74885-3e7488e 823->836 837 3e74924-3e74935 call 3e745cd 823->837 829->820 844 3e74827-3e7484d GetLastError CreateFileA GetLastError 829->844 831->820 847 3e747d0-3e747f5 GetLastError CreateFileA GetLastError 831->847 839 3e749ca-3e749d1 call 3e74630 834->839 843 3e74890-3e74894 836->843 837->820 851 3e7493b-3e7493f 837->851 845 3e749d6-3e749e3 FreeSid CloseHandle 839->845 848 3e74896-3e748ad call 3ed064e 843->848 849 3e748af-3e748d8 843->849 850 3e747f7-3e747fe 844->850 845->820 847->850 848->843 848->849 853 3e7490f 849->853 854 3e748da-3e748df 849->854 850->839 855 3e74941 851->855 856 3e74948-3e74972 RegOpenKeyExA call 3e74630 851->856 859 3e74911-3e74922 853->859 858 3e748ed-3e748f0 854->858 855->856 863 3e74977-3e7498c FreeSid RegCloseKey 856->863 861 3e748f2-3e74903 858->861 862 3e748e1-3e748ec 858->862 859->837 859->859 864 3e74905-3e7490d 861->864 862->858 863->820 864->853 864->864
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 03E747D6
                                                                    • CreateFileA.KERNEL32(00000000,10000000,00000001,00000000,00000003,02000080,00000000,?,00000000), ref: 03E747EB
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 03E747F3
                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 03E7482D
                                                                    • CreateFileA.KERNEL32(00000000,10000000,00000001,00000000,00000003,02000080,00000000,?,00000000), ref: 03E74842
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 03E7484A
                                                                      • Part of subcall function 03E7459F: GetVersionExA.KERNEL32(?), ref: 03E745B9
                                                                      • Part of subcall function 03E745CD: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 03E74603
                                                                      • Part of subcall function 03E745CD: GetLastError.KERNEL32(?,?,?,00000000), ref: 03E7460D
                                                                      • Part of subcall function 03E745CD: FreeSid.ADVAPI32(00000000,?,?,?,00000000), ref: 03E74618
                                                                    • RegOpenKeyExA.KERNELBASE(00000080,?,00000000,000F003F,00000000,?,?,?,?,?,00000000), ref: 03E7495A
                                                                    • FreeSid.ADVAPI32(00004000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03E7497D
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03E74986
                                                                    • CreateFileA.KERNELBASE(00000000,10000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 03E749BE
                                                                    • FreeSid.ADVAPI32(00004000,?,?,?,?,?,?,00000000), ref: 03E749DC
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 03E749E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$CreateFileFree$Close$AllocateHandleInitializeOpenVersion
                                                                    • String ID: 2$?$software\classes\vdsp
                                                                    • API String ID: 2772543972-1496986628
                                                                    • Opcode ID: d90d44ee5392bdbf10656eca802a6e601867015b2b5a1cbf83c59b9efd026637
                                                                    • Instruction ID: 999e9a43f5a5dd57824193644c3d11c16c8e363adce4ec4327ec4c4213c063a5
                                                                    • Opcode Fuzzy Hash: d90d44ee5392bdbf10656eca802a6e601867015b2b5a1cbf83c59b9efd026637
                                                                    • Instruction Fuzzy Hash: 8961D27680425EAFEF21EFA6EC45BEA7BBCEF05354F1806A5F940961C0DB709A448F50
                                                                    Function 03E76BBE Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 360memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 865 3e76bbe-3e76c46 call 3e3ae20 call 3e35ef0 * 4 876 3e76c4a-3e76c4d 865->876 877 3e76c48 865->877 878 3e76c4f-3e76c57 876->878 879 3e76c59 876->879 877->876 880 3e76c5c-3e76c5f 878->880 879->880 881 3e76c65-3e76c67 880->881 882 3e76f5a-3e76f63 880->882 881->882 883 3e76c6d-3e76c80 call 3e7651e 881->883 884 3e76f65-3e76f6d 882->884 887 3e76c85-3e76c88 883->887 884->884 885 3e76f6f-3e76f98 call 3e7765d 884->885 894 3e76f9e-3e76fb9 885->894 895 3e76f9a 885->895 890 3e76fee-3e76ff2 887->890 891 3e76c8e-3e76c91 887->891 892 3e76c97-3e76cb9 call 3e70cf3 * 2 891->892 893 3e76f3c-3e76f4c call 3e76b7f 891->893 892->893 910 3e76cbf-3e76cc3 892->910 893->890 904 3e76f52-3e76f55 893->904 898 3e76fc2 894->898 899 3e76fbb-3e76fc0 894->899 897 3e76f9b-3e76f9c 895->897 897->890 903 3e76fc7-3e76fe6 call 3e38e9e call 3e76ff5 898->903 899->903 911 3e76feb 903->911 904->890 912 3e76f35 910->912 913 3e76cc9-3e76cdd call 3e749f3 910->913 911->890 912->893 913->890 916 3e76ce3-3e76cf7 call 3e749f3 913->916 916->890 919 3e76cfd-3e76d11 916->919 920 3e76d13-3e76d15 919->920 921 3e76d1b-3e76d29 919->921 920->921 922 3e76d17-3e76d19 920->922 923 3e76d67-3e76d81 921->923 924 3e76d2b-3e76d2d 921->924 922->921 926 3e76d37-3e76d65 call 3e71214 * 2 922->926 925 3e76d82-3e76d85 923->925 924->923 927 3e76d2f-3e76d35 924->927 928 3e76d87-3e76d8a 925->928 929 3e76d91-3e76da5 call 3e757ed 925->929 926->925 927->923 927->926 928->929 931 3e76d8c-3e76d8f 928->931 929->890 934 3e76dab-3e76dcc call 3e7292b 929->934 931->929 931->934 940 3e76e52-3e76e55 934->940 941 3e76dd2-3e76dd4 934->941 942 3e76edb-3e76edd 940->942 943 3e76e5b-3e76e5d 940->943 944 3e76dd6-3e76e03 call 3e71214 * 2 941->944 945 3e76e05-3e76e38 941->945 947 3e76ee4-3e76ee7 942->947 948 3e76edf-3e76ee2 942->948 949 3e76e64-3e76e67 943->949 950 3e76e5f-3e76e62 943->950 946 3e76e3b-3e76e50 944->946 945->946 946->940 947->912 952 3e76ee9-3e76efa GlobalAlloc 947->952 948->947 949->912 953 3e76e6d-3e76e7e GlobalAlloc 949->953 950->949 956 3e76e80-3e76e82 952->956 957 3e76efc-3e76f07 GlobalFix 952->957 955 3e76e87-3e76e92 GlobalFix 953->955 953->956 959 3e76e94-3e76e96 955->959 961 3e76e9b-3e76eab call 3e749f3 955->961 956->897 957->959 960 3e76f09-3e76f19 call 3e749f3 957->960 959->897 967 3e76ead-3e76eb6 GlobalFree 960->967 968 3e76f1b-3e76f2a call 3e757ed 960->968 961->967 969 3e76ebb-3e76ed2 call 3e757ed GlobalFree 961->969 967->890 968->893 975 3e76f2c-3e76f33 GlobalFree 968->975 969->893 974 3e76ed4-3e76ed6 969->974 974->890 975->974
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E76BF5
                                                                    • _memset.LIBCMT ref: 03E76C0A
                                                                    • _memset.LIBCMT ref: 03E76C24
                                                                    • _memset.LIBCMT ref: 03E76C39
                                                                    • GlobalAlloc.KERNEL32(00000040,00000C30,0000000E,?,?,?,?,?,?), ref: 03E76E74
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E76E88
                                                                    • _sprintf.LIBCMT ref: 03E76FC8
                                                                      • Part of subcall function 03E749F3: _memset.LIBCMT ref: 03E74A18
                                                                      • Part of subcall function 03E749F3: GlobalFix.KERNEL32(?), ref: 03E74A31
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E76EAE
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E76EC9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global_memset$Free$Alloc_sprintf
                                                                    • String ID: D
                                                                    • API String ID: 2746636729-2746444292
                                                                    • Opcode ID: 8581c1e58bc0f390cd1539e4ab9a49379cf5433c6d4a74fc0ea4d8f76be4bb47
                                                                    • Instruction ID: 65addf4e57b244a860c9a920611402fbec39079e78599b6669884de5631483c5
                                                                    • Opcode Fuzzy Hash: 8581c1e58bc0f390cd1539e4ab9a49379cf5433c6d4a74fc0ea4d8f76be4bb47
                                                                    • Instruction Fuzzy Hash: 7CD15C72804619AFDF21EF94DC80EEEBBB9EF44318F145296E905FA250D7319B91CB60
                                                                    Function 03E7DDCA Relevance: 21.6, APIs: 8, Strings: 4, Instructions: 559COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 976 3e7ddca-3e7de46 call 3e3ae20 call 3e35ef0 * 3 call 3e7dbdc 987 3e7de50-3e7de68 call 3e7dbdc 976->987 988 3e7de48 976->988 987->988 993 3e7de6a-3e7de82 call 3e7dbdc 987->993 989 3e7de4a-3e7de4b 988->989 991 3e7e4b1-3e7e4b8 989->991 993->988 996 3e7de84-3e7e240 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 call 3e7dbdc call 3e77327 993->996 1073 3e7e241-3e7e24f 996->1073 1073->1073 1074 3e7e251-3e7e25c 1073->1074 1075 3e7e25f-3e7e278 1074->1075 1075->1075 1076 3e7e27a-3e7e27e 1075->1076 1077 3e7e284-3e7e285 1076->1077 1078 3e7e3dd-3e7e3f8 call 3e38e9e 1076->1078 1080 3e7e287-3e7e289 1077->1080 1081 3e7e28e-3e7e29a 1077->1081 1084 3e7e415-3e7e419 1078->1084 1085 3e7e3fa-3e7e40c call 3e7747d 1078->1085 1080->989 1083 3e7e29c-3e7e2a0 1081->1083 1086 3e7e2a2-3e7e2b9 call 3ed064e 1083->1086 1087 3e7e2bb-3e7e2e7 call 3e7765d 1083->1087 1090 3e7e422-3e7e448 call 3e7dc25 call 3e774d8 1084->1090 1091 3e7e41b-3e7e41d 1084->1091 1085->1084 1100 3e7e40e-3e7e410 1085->1100 1086->1083 1086->1087 1098 3e7e354-3e7e358 1087->1098 1099 3e7e2e9-3e7e308 1087->1099 1112 3e7e451-3e7e471 call 3e775da 1090->1112 1113 3e7e44a-3e7e44c 1090->1113 1091->989 1104 3e7e361-3e7e37f RegCreateKeyExA 1098->1104 1105 3e7e35a 1098->1105 1102 3e7e33f 1099->1102 1103 3e7e30a-3e7e30f 1099->1103 1100->989 1108 3e7e341-3e7e352 1102->1108 1107 3e7e31d-3e7e320 1103->1107 1109 3e7e381-3e7e383 1104->1109 1110 3e7e388-3e7e3b6 call 3e74771 RegSetValueExA 1104->1110 1105->1104 1114 3e7e322-3e7e333 1107->1114 1115 3e7e311-3e7e31c 1107->1115 1108->1098 1108->1108 1109->989 1119 3e7e3c5-3e7e3d0 RegCloseKey 1110->1119 1120 3e7e3b8-3e7e3c0 GetLastError 1110->1120 1124 3e7e473-3e7e475 1112->1124 1125 3e7e47a-3e7e483 call 3e774c6 1112->1125 1113->989 1118 3e7e335-3e7e33d 1114->1118 1115->1107 1118->1102 1118->1118 1122 3e7e3d6-3e7e3d8 1119->1122 1123 3e7e4ae-3e7e4b0 1119->1123 1120->989 1122->989 1123->991 1124->989 1128 3e7e485-3e7e487 1125->1128 1129 3e7e48c-3e7e498 call 3e74771 1125->1129 1128->989 1131 3e7e49d-3e7e4ad call 3e7dc25 1129->1131 1131->1123
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: 38810806$SAA-482$YAP00667$software\classes\vdsp
                                                                    • API String ID: 2102423945-187591039
                                                                    • Opcode ID: 5bbcc9e974bddfe5b049911a066b8d16d5cbad27a322f38574e2eb1c14726e11
                                                                    • Instruction ID: 1a799d92f702c36540d0e67e890b19d4aab4da5683f7639391fc1fc940ee14c7
                                                                    • Opcode Fuzzy Hash: 5bbcc9e974bddfe5b049911a066b8d16d5cbad27a322f38574e2eb1c14726e11
                                                                    • Instruction Fuzzy Hash: ED221FB2C0025CAADB21DBA4DD44EDB77FCEF09204F1456E6B949E6041E674EB84CFA1
                                                                    Function 03E74630 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 124libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1134 3e74630-3e74647 1135 3e7464d-3e74651 1134->1135 1136 3e74769 1134->1136 1135->1136 1137 3e74657-3e74669 LoadLibraryA 1135->1137 1138 3e7476b 1136->1138 1140 3e74672-3e74682 GetProcAddress 1137->1140 1141 3e7466b-3e7466d 1137->1141 1139 3e7476c-3e74770 1138->1139 1142 3e74684 1140->1142 1143 3e7468d-3e746a6 1140->1143 1141->1138 1144 3e74685-3e7468b FreeLibrary 1142->1144 1146 3e74742-3e7474b 1143->1146 1147 3e746ac-3e746e0 GetProcAddress 1143->1147 1144->1141 1148 3e74752-3e74755 1146->1148 1149 3e7474d-3e74750 LocalFree 1146->1149 1150 3e746e7-3e746fa 1147->1150 1151 3e746e2-3e746e5 1147->1151 1152 3e74757-3e7475a LocalFree 1148->1152 1153 3e7475c-3e74767 FreeLibrary 1148->1153 1149->1148 1150->1146 1155 3e746fc-3e74708 GetProcAddress 1150->1155 1151->1144 1152->1153 1153->1139 1156 3e74726-3e74731 1155->1156 1157 3e7470a-3e74713 1155->1157 1161 3e74736-3e7473a 1156->1161 1158 3e74715-3e74718 LocalFree 1157->1158 1159 3e7471a-3e7471d 1157->1159 1158->1159 1159->1151 1160 3e7471f-3e74724 LocalFree 1159->1160 1160->1151 1161->1146 1162 3e7473c GetLastError 1161->1162 1162->1146
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ADVAPI32.DLL,00000000,10000000,00000000,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E7465C
                                                                    • GetProcAddress.KERNEL32(00000000,03F4883C), ref: 03E7467E
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E74685
                                                                    • GetProcAddress.KERNEL32(00000000,03F48828), ref: 03E746DC
                                                                    • GetProcAddress.KERNEL32(00000000,03F48818), ref: 03E74704
                                                                    • LocalFree.KERNEL32(000000FF,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E74718
                                                                    • LocalFree.KERNEL32(00000000,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E74722
                                                                    • GetLastError.KERNEL32(?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E7473C
                                                                    • LocalFree.KERNEL32(000000FF,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E74750
                                                                    • LocalFree.KERNEL32(00000000,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E7475A
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,03E749D6,00000000,00000001,00004000,00000000,10000000,00000001,00000000), ref: 03E7475F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Free$Local$AddressLibraryProc$ErrorLastLoad
                                                                    • String ID: ADVAPI32.DLL
                                                                    • API String ID: 911014765-33758204
                                                                    • Opcode ID: 4f65fb4e98c35b9f69348ce6e33d19b862ead16d1095558dda53dc76aca5cfc7
                                                                    • Instruction ID: 574ae20a5d0b5836594355dcceca11201897a9b6fefbfd0004e9d8883cb9fd78
                                                                    • Opcode Fuzzy Hash: 4f65fb4e98c35b9f69348ce6e33d19b862ead16d1095558dda53dc76aca5cfc7
                                                                    • Instruction Fuzzy Hash: 3E41567190022CFFCF11EFA6DC809EEBBBAFB48354F14826AE611A3190D7315A519F50
                                                                    Function 03E3381C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1181 3e3381c-3e33867 call 3e2520b GetModuleFileNameA 1184 3e33869-3e3386b 1181->1184 1185 3e3386d call 3e2fe97 1181->1185 1184->1185 1186 3e33872-3e33884 PathFindExtensionA 1184->1186 1185->1186 1188 3e33886 call 3e2fe97 1186->1188 1189 3e3388b-3e338a7 call 3e337de 1186->1189 1188->1189 1193 3e338a9 call 3e2fe97 1189->1193 1194 3e338ae-3e338b2 1189->1194 1193->1194 1195 3e338b4-3e338c6 call 3e3ad54 1194->1195 1196 3e338cd-3e338d2 1194->1196 1195->1196 1207 3e338c8 1195->1207 1199 3e33901-3e33908 1196->1199 1200 3e338d4-3e338e9 call 3e2413d 1196->1200 1203 3e3394b-3e3394f 1199->1203 1204 3e3390a-3e33917 1199->1204 1213 3e338f1 1200->1213 1214 3e338eb-3e338ef 1200->1214 1208 3e33983-3e3399a call 3e36878 1203->1208 1209 3e33951-3e3397d call 3e3ace3 call 3e2381a call 3e3ad54 1203->1209 1205 3e33920 1204->1205 1206 3e33919-3e3391e 1204->1206 1211 3e33925-3e33943 call 3e314a0 call 3e3ad54 1205->1211 1206->1211 1207->1196 1209->1207 1209->1208 1211->1207 1228 3e33945-3e33948 1211->1228 1218 3e338f4-3e338ff call 3e3ad54 1213->1218 1214->1218 1218->1199 1218->1207 1228->1203
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
                                                                    • String ID: .CHM$.HLP$.INI
                                                                    • API String ID: 1153805871-4017452060
                                                                    • Opcode ID: 1f5d8bfbed9ca6459d7e9f35a92a8715cf03121a08cedba5e4e9bccbbc318edd
                                                                    • Instruction ID: 9dcbae5db30d50db0553bbc3875f2059b8cadf5d4b796af1307586f0d56fd730
                                                                    • Opcode Fuzzy Hash: 1f5d8bfbed9ca6459d7e9f35a92a8715cf03121a08cedba5e4e9bccbbc318edd
                                                                    • Instruction Fuzzy Hash: 2D413C79500718AFDB20EF65DC88BDAB7FCFF05208F446A29E945DA681EB74E544CB20
                                                                    Function 03E1E100 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1042COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc
                                                                    • String ID: ny
                                                                    • API String ID: 1579825452-2474548558
                                                                    • Opcode ID: f2be9fc86fa03f0a718271c5307c20e660c77e70a7547a7615a861ae731a5a2a
                                                                    • Instruction ID: bc0ac9c6d831fa984793321efa4ae1d30f4ee48d184e9817a69300119b18b8aa
                                                                    • Opcode Fuzzy Hash: f2be9fc86fa03f0a718271c5307c20e660c77e70a7547a7615a861ae731a5a2a
                                                                    • Instruction Fuzzy Hash: 3DB21674A00259CFDB64DB54C894BADF3B1BB88314F1496D9D80EAB391DB30AE95CF90
                                                                    Function 03E2449E Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1600 3e2449e-3e244b1 call 3e239de GlobalAlloc 1603 3e244da-3e244dc 1600->1603 1604 3e24502-3e2452d GlobalFix call 3e35ef0 1603->1604 1605 3e244de-3e244e3 1603->1605 1610 3e24535-3e24555 RtlLeaveCriticalSection 1604->1610 1611 3e2452f-3e24532 1604->1611 1606 3e244f3-3e244fd RtlLeaveCriticalSection 1605->1606 1607 3e244e5-3e244ed GlobalHandle GlobalFix 1605->1607 1607->1606 1611->1610
                                                                    APIs
                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000), ref: 03E244AB
                                                                    • GlobalHandle.KERNEL32(?), ref: 03E244E6
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E244ED
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E244F7
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E24503
                                                                    • _memset.LIBCMT ref: 03E2451C
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E24548
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$CriticalLeaveSection$AllocHandle_memset
                                                                    • String ID:
                                                                    • API String ID: 1912373796-0
                                                                    • Opcode ID: b7c930c856639addf45cea879327e5695d310334a51a7e05ea78b8fb9f1646f9
                                                                    • Instruction ID: 0f5d3618b55879b43e434c6c42c730c1cdd2012b1a68be194ef3c7df7b54189b
                                                                    • Opcode Fuzzy Hash: b7c930c856639addf45cea879327e5695d310334a51a7e05ea78b8fb9f1646f9
                                                                    • Instruction Fuzzy Hash: CC115A796017259FD724EF76E848A26BBA9FF44211B004B2AE556C7684DB34B4148F50
                                                                    Function 03E3399B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1612 3e3399b-3e339ce SetErrorMode * 2 call 3e2520b call 3e248cd call 3e2520b 1619 3e339d0-3e339e3 call 3e3381c 1612->1619 1620 3e339e8-3e339f2 call 3e2520b 1612->1620 1619->1620 1624 3e339f4 call 3e25ed8 1620->1624 1625 3e339f9-3e33a06 GetModuleHandleA 1620->1625 1624->1625 1627 3e33a19-3e33a1c 1625->1627 1628 3e33a08-3e33a14 GetProcAddress 1625->1628 1628->1627
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000000,03EDDBF0,03E4FEB5,00000000), ref: 03E339A4
                                                                    • SetErrorMode.KERNELBASE(00000000), ref: 03E339AC
                                                                      • Part of subcall function 03E248CD: GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 03E2490E
                                                                      • Part of subcall function 03E248CD: SetLastError.KERNEL32(0000006F,?,?), ref: 03E24928
                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 03E339FE
                                                                    • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 03E33A0E
                                                                      • Part of subcall function 03E3381C: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 03E3385F
                                                                      • Part of subcall function 03E3381C: PathFindExtensionA.KERNELBASE(?,?,?,00000000), ref: 03E33879
                                                                      • Part of subcall function 03E3381C: __strdup.LIBCMT ref: 03E338BB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
                                                                    • String ID: NotifyWinEvent$user32.dll
                                                                    • API String ID: 2454351968-597752486
                                                                    • Opcode ID: ababf620e880654a95d3e2510d7c7b586658d6b719d84c43208d3a21ab6e77d6
                                                                    • Instruction ID: aee960a946acfac0191f15ab5baa21f569d8a115e89e56f632508e1d09e22bf6
                                                                    • Opcode Fuzzy Hash: ababf620e880654a95d3e2510d7c7b586658d6b719d84c43208d3a21ab6e77d6
                                                                    • Instruction Fuzzy Hash: 96018F79A153208FC710FF749908F0E7BE8AF46601B05965AE455DB391DB70C401CFA2
                                                                    Function 03E775DA Relevance: 9.0, APIs: 6, Instructions: 49memoryfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1629 3e775da-3e775f2 GlobalAlloc 1630 3e77644 1629->1630 1631 3e775f4-3e775f6 1629->1631 1634 3e77647-3e7764a 1630->1634 1632 3e7760c-3e7761f WriteFile 1631->1632 1633 3e775f8-3e77601 1631->1633 1636 3e77637-3e7763e GetLastError GlobalFree 1632->1636 1637 3e77621-3e77631 GetLastError GlobalFree 1632->1637 1635 3e77602-3e77609 1633->1635 1635->1635 1638 3e7760b 1635->1638 1636->1630 1637->1630 1639 3e77633-3e77635 1637->1639 1638->1632 1639->1634
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,03E763D5,00000000,?,?,03E763D4,00000000,00000010,?,?,00000C30), ref: 03E775E8
                                                                    • WriteFile.KERNELBASE(?,00000000,03E763D4,?,00000000), ref: 03E77617
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03E77621
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E77628
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03E77637
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E7763E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$ErrorFreeLast$AllocFileWrite
                                                                    • String ID:
                                                                    • API String ID: 2473694567-0
                                                                    • Opcode ID: f6d972b6637f6b200759e2087d4ff607eba5d387140965eded3aacb152f0393c
                                                                    • Instruction ID: 61155bfb4b07ab08abd0a2b1739bd67b5f9395a9cf4b029a120e9392234c5235
                                                                    • Opcode Fuzzy Hash: f6d972b6637f6b200759e2087d4ff607eba5d387140965eded3aacb152f0393c
                                                                    • Instruction Fuzzy Hash: 3F01A7312411299BC721AEAEBC09EBB7F7EEFD5650B045354F905C7248CB21D852C7E0
                                                                    Function 03EBA0F0 Relevance: 7.6, APIs: 5, Instructions: 57fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1640 3eba0f0-3eba11d GetFileSize CreateFileMappingA 1641 3eba11f-3eba144 GetLastError 1640->1641 1642 3eba145-3eba159 MapViewOfFile 1640->1642 1643 3eba15b-3eba17b GetLastError 1642->1643 1644 3eba17e-3eba180 1642->1644 1643->1644
                                                                    APIs
                                                                    • GetFileSize.KERNEL32(?,?,00000000,00000000,03EBA23A,?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA0FD
                                                                    • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 03EBA112
                                                                    • GetLastError.KERNEL32(?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA126
                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA14E
                                                                    • GetLastError.KERNEL32(?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA162
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: File$ErrorLast$CreateMappingSizeView
                                                                    • String ID:
                                                                    • API String ID: 981448092-0
                                                                    • Opcode ID: 53dada2c1318233d17abfe302c4ee2b6cf53ef6513343424d317ecc54e443ace
                                                                    • Instruction ID: e9349776b0083985cfddbcb4ad641aad86b0c188cb9ca7f96814d871db53b2d4
                                                                    • Opcode Fuzzy Hash: 53dada2c1318233d17abfe302c4ee2b6cf53ef6513343424d317ecc54e443ace
                                                                    • Instruction Fuzzy Hash: 02115EB0651310AFE730EF25EC45F6773A9EF44B21F108A59FA45972C4D674B8508B50
                                                                    Function 03E20251 Relevance: 7.5, APIs: 5, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersion.KERNEL32(?,?,03E202EF,?,03E1EAB6), ref: 03E20255
                                                                    • CreateFileA.KERNEL32(00000000,03E202EF,?,03E1EAB6), ref: 03E2027A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 03E2028D
                                                                    • CreateFileA.KERNELBASE(00000000,03E202EF,?,03E1EAB6), ref: 03E202B6
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 03E202C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateFileHandle$Version
                                                                    • String ID:
                                                                    • API String ID: 4038132141-0
                                                                    • Opcode ID: c93a66bf28a5bb72d0782fa743601aba385040c8f1317b260fcadbaa8ffc72a2
                                                                    • Instruction ID: 8c8389dc81b10d5cf4cb91f313b96b85813e2c1c271a2adf3ef513a3b06f8315
                                                                    • Opcode Fuzzy Hash: c93a66bf28a5bb72d0782fa743601aba385040c8f1317b260fcadbaa8ffc72a2
                                                                    • Instruction Fuzzy Hash: 3B01A771A81314FBE720F7A4AC0EF9A7B74EB05B11F201715B605BA2C1E5F19E518641
                                                                    Function 03E35E59 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 03E35E77
                                                                      • Part of subcall function 03E3B67E: __mtinitlocknum.LIBCMT ref: 03E3B692
                                                                      • Part of subcall function 03E3B67E: __amsg_exit.LIBCMT ref: 03E3B69E
                                                                      • Part of subcall function 03E3B67E: RtlEnterCriticalSection.NTDLL(?), ref: 03E3B6A6
                                                                    • ___sbh_find_block.LIBCMT ref: 03E35E82
                                                                    • ___sbh_free_block.LIBCMT ref: 03E35E91
                                                                    • RtlFreeHeap.NTDLL(00000000,03E11FC4,03F5FB40,0000000C,03E3B65F,00000000,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80,0000000C), ref: 03E35EC1
                                                                    • GetLastError.KERNEL32(?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214,?,00000000), ref: 03E35ED2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                    • String ID:
                                                                    • API String ID: 2714421763-0
                                                                    • Opcode ID: 528562ca41a65b0eae468ab4a8c285adb8f8bbe25ce036be0bbf1eea307463b1
                                                                    • Instruction ID: 29d1db78bd39320f694f08012af62ade269d5364b0c53de0f5bf575c522750a9
                                                                    • Opcode Fuzzy Hash: 528562ca41a65b0eae468ab4a8c285adb8f8bbe25ce036be0bbf1eea307463b1
                                                                    • Instruction Fuzzy Hash: 8B016279946315ABDF24FB72AC0DB6E77789F03365F242355E405AA2C0DB748580CA98
                                                                    Function 03E7DC3F Relevance: 6.1, APIs: 4, Instructions: 96timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(?,00000003,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 03E7DC69
                                                                    • GetFileTime.KERNEL32(00000000,?,?,?), ref: 03E7DC8A
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,03E74C8D,?), ref: 03E7DC91
                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,03E74C8D), ref: 03E7DCA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FileTime$CloseCreateHandleSystem
                                                                    • String ID:
                                                                    • API String ID: 489727163-0
                                                                    • Opcode ID: 1549e7ced991f083ecd71fec1b65be480084c432600116629d429fd8d1612c36
                                                                    • Instruction ID: 46661a74bb87510cb6a41fbbae5fd39a87646e3b576c0fad4faa9f078370bc3d
                                                                    • Opcode Fuzzy Hash: 1549e7ced991f083ecd71fec1b65be480084c432600116629d429fd8d1612c36
                                                                    • Instruction Fuzzy Hash: 5D31E3B5D01228EBCB14DF95E9848EFBBBCEF48710B10816AF916A7350D7749A40CBA0
                                                                    Function 004192C8 Relevance: 6.1, APIs: 4, Instructions: 59libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,004192BB), ref: 004192C9
                                                                      • Part of subcall function 004192ED: GetProcAddress.KERNEL32(00000000,004192E0), ref: 004192EE
                                                                      • Part of subcall function 004192ED: VirtualAlloc.KERNELBASE(00000000,0017E13E,00001000,00000040,00000000), ref: 00419315
                                                                      • Part of subcall function 004192ED: GetTickCount.KERNEL32 ref: 0041931D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$AllocCountTickVirtual
                                                                    • String ID:
                                                                    • API String ID: 2573335060-0
                                                                    • Opcode ID: 12c473394ad488a617647c0caddf122a26a93eb270734913d332bb4bd81fc912
                                                                    • Instruction ID: 842310ce1b0491c1b7f585b527a721bf24fbc3411a16ae3bcc3b049b2a444ec2
                                                                    • Opcode Fuzzy Hash: 12c473394ad488a617647c0caddf122a26a93eb270734913d332bb4bd81fc912
                                                                    • Instruction Fuzzy Hash: DF21B6B164068CAFDF31AFA5CC56FDD3B68AF08345F040416FE0D9E292D6799B50AB18
                                                                    Function 03E7DD34 Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E7744A: GetVersionExA.KERNEL32(?), ref: 03E77464
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,03E764E0,?,?,?), ref: 03E7DD86
                                                                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000003,00000000,00000000,?,?,03E764E0,?,?,?), ref: 03E7DD9C
                                                                    • SetFileTime.KERNELBASE(00000000,?,?,?,?,?,03E764E0,?,?,?), ref: 03E7DDB4
                                                                    • CloseHandle.KERNEL32(00000000,?,?,03E764E0,?,?,?), ref: 03E7DDBB
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FileTime$CloseCreateHandleSystemVersion
                                                                    • String ID:
                                                                    • API String ID: 3540817209-0
                                                                    • Opcode ID: a042d455f4fbd7ae7f2e17b6d91672e8f0400fcccaab80a859ef7bab37d2df56
                                                                    • Instruction ID: 415c2c91048847b1ae7e0817386643ad7d6e0891ba052f0fc547e97e654ada0e
                                                                    • Opcode Fuzzy Hash: a042d455f4fbd7ae7f2e17b6d91672e8f0400fcccaab80a859ef7bab37d2df56
                                                                    • Instruction Fuzzy Hash: 5211FA79910219EEDB00BBA0EC089FFB7BCEF08310F049650ED16D7260E3308A45C7A5
                                                                    Function 03E7757A Relevance: 6.0, APIs: 4, Instructions: 43memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,03E74C49,00000000,?,?,03E74C48,00000000,00000010,?,?,00000C30), ref: 03E77588
                                                                    • ReadFile.KERNELBASE(?,00000000,03E74C48,?,00000000), ref: 03E7759F
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E775C1
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E775CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Free$AllocFileRead
                                                                    • String ID:
                                                                    • API String ID: 1538695497-0
                                                                    • Opcode ID: 9e01c196237eb4d443b9b64b77cf4333576863618c92ee1a55a7cb5fbbc0f661
                                                                    • Instruction ID: e244d0d974ef5bca4dd2cf34a271c484ce79071f3f70404636db693983e19f4f
                                                                    • Opcode Fuzzy Hash: 9e01c196237eb4d443b9b64b77cf4333576863618c92ee1a55a7cb5fbbc0f661
                                                                    • Instruction Fuzzy Hash: 3BF0813514021AABCF119F29EC49BBF3BBEEF856D0B045255FD45D7280DB20D81287E0
                                                                    Function 03E26D25 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 03E26D32
                                                                    • GetSystemMetrics.USER32(0000000C), ref: 03E26D39
                                                                    • GetSystemMetrics.USER32(00000002), ref: 03E26D40
                                                                    • GetSystemMetrics.USER32(00000003), ref: 03E26D4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 4241121291-0
                                                                    • Opcode ID: 44f9222f4471ac08e92f73ee4c33c1e8702214d716babe2979c09b332c2f6d0e
                                                                    • Instruction ID: a24acc38030d3b1d475a53d7f80bbc42f662c0065b9c6e55a81f7ed32b5af2f9
                                                                    • Opcode Fuzzy Hash: 44f9222f4471ac08e92f73ee4c33c1e8702214d716babe2979c09b332c2f6d0e
                                                                    • Instruction Fuzzy Hash: 7EF09070A41704AEE720BF73AC49F27BBA8EF81B51F00452AE2018B2C4C6B598158F50
                                                                    Function 03E77542 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(00000003,00000003,00000003,00000000,00000003,00000080,00000000,03E74D0D,?,?,?), ref: 03E77565
                                                                    • GetLastError.KERNEL32 ref: 03E77570
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLast
                                                                    • String ID: @
                                                                    • API String ID: 1214770103-2766056989
                                                                    • Opcode ID: 51ec1ac55943dc8559404b5ead7886710c57b3b456b63b7cba4b338c77747384
                                                                    • Instruction ID: d0dbd30c961b36d1e9f442b1ca6febb1ea652d9b536aa538337dba8f1790ac1c
                                                                    • Opcode Fuzzy Hash: 51ec1ac55943dc8559404b5ead7886710c57b3b456b63b7cba4b338c77747384
                                                                    • Instruction Fuzzy Hash: D5E0E2711852806BEA211720AC0AF3A7BA5BB44B38F680B08F7E4E80E0C7A896509619
                                                                    Function 004192ED Relevance: 4.5, APIs: 3, Instructions: 49librarymemoryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,004192E0), ref: 004192EE
                                                                    • VirtualAlloc.KERNELBASE(00000000,0017E13E,00001000,00000040,00000000), ref: 00419315
                                                                    • GetTickCount.KERNEL32 ref: 0041931D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressAllocCountProcTickVirtual
                                                                    • String ID:
                                                                    • API String ID: 1017356299-0
                                                                    • Opcode ID: adf5c87729f99595c967b5fcb89e7418a98c771012d72ec6246c1e3d5406159c
                                                                    • Instruction ID: f54a6ba7c773fcf392946ab52e99312e8b7508c7d6acb9c02f19ef6cccfbc8da
                                                                    • Opcode Fuzzy Hash: adf5c87729f99595c967b5fcb89e7418a98c771012d72ec6246c1e3d5406159c
                                                                    • Instruction Fuzzy Hash: DD1183B164058CAFDF319F94CC45FDD3BA9AF08345F040015BE0D9A292C6BA5A50AB18
                                                                    Function 03E7453E Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E7DB4D: GlobalFix.KERNEL32(03E7454D), ref: 03E7DB52
                                                                      • Part of subcall function 03E7DB4D: GetLastError.KERNEL32 ref: 03E7DB5E
                                                                    • GlobalFix.KERNEL32(?), ref: 03E74554
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E74581
                                                                    • GlobalFree.KERNELBASE(?), ref: 03E74588
                                                                      • Part of subcall function 03E719D1: GlobalFix.KERNEL32(?), ref: 03E719DC
                                                                      • Part of subcall function 03E719D1: GetLastError.KERNEL32(?,?,?,03E1592B,?), ref: 03E719E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$ErrorLast$FreeWire
                                                                    • String ID:
                                                                    • API String ID: 4192396063-0
                                                                    • Opcode ID: cfcf77aa0802976e0f50f01f84eb41449f862b4cd4729afe7ca0e47b7a7b19ff
                                                                    • Instruction ID: f5bcb56931a484532c829e42d34695e0834d19f04651e9045f373374d7a0515a
                                                                    • Opcode Fuzzy Hash: cfcf77aa0802976e0f50f01f84eb41449f862b4cd4729afe7ca0e47b7a7b19ff
                                                                    • Instruction Fuzzy Hash: 6EF0E93254172197CA22EA377C44BBFA3BDAF86E95B091719F445E7144DF10D5424E90
                                                                    Function 03E88397 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 03E883B0
                                                                    • SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 03E883B7
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,-00000001), ref: 03E883CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                    • String ID:
                                                                    • API String ID: 262959230-0
                                                                    • Opcode ID: c93c87ea7d4c96a8ca4c5d0a7cb5119cbf16ee15a35d8d4a445571f68961ecf2
                                                                    • Instruction ID: 18bb6524692a647cd6c771f53b24dc50e68963324a1961106babcf6bebc5ce39
                                                                    • Opcode Fuzzy Hash: c93c87ea7d4c96a8ca4c5d0a7cb5119cbf16ee15a35d8d4a445571f68961ecf2
                                                                    • Instruction Fuzzy Hash: A6E06DB210112CBFAB106BAA9CC8CABBFADDF851F87104221F519D2160C6719D008AB0
                                                                    Function 03EBA190 Relevance: 4.5, APIs: 3, Instructions: 24fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • UnmapViewOfFile.KERNEL32(?,?,?,03E1DC24), ref: 03EBA19C
                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,03E1DC24), ref: 03EBA1B0
                                                                    • CloseHandle.KERNEL32(?,?,?,03E1DC24), ref: 03EBA1C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ChangeFileFindHandleNotificationUnmapView
                                                                    • String ID:
                                                                    • API String ID: 223153180-0
                                                                    • Opcode ID: aed63fcf37c5996707cdb94508a08f8aa9f952d35c2a112392a6c91f5792b68b
                                                                    • Instruction ID: 3b8acdf39da400e5f3c40d9d1aa335c9068b425d32047ea784c9356913ca2998
                                                                    • Opcode Fuzzy Hash: aed63fcf37c5996707cdb94508a08f8aa9f952d35c2a112392a6c91f5792b68b
                                                                    • Instruction Fuzzy Hash: 2CE01A712047205BDA61EA2EEC48A97F3FDAF80624B094B29A425D3290D370EC458A60
                                                                    Function 03E88711 Relevance: 3.1, APIs: 2, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysFreeString.OLEAUT32(?), ref: 03E8880E
                                                                    • SysFreeString.OLEAUT32(?), ref: 03E88818
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString
                                                                    • String ID:
                                                                    • API String ID: 3341692771-0
                                                                    • Opcode ID: 952be85524c13d74f0b1e14553d64c5bb3fe7ce38bf0e7828a1a56507d679801
                                                                    • Instruction ID: 07b2142be96cb0156f4a3ac3c726d5cd1ad268c53298b807317e810df368f491
                                                                    • Opcode Fuzzy Hash: 952be85524c13d74f0b1e14553d64c5bb3fe7ce38bf0e7828a1a56507d679801
                                                                    • Instruction Fuzzy Hash: 10414B79E00229AFCF01EFA5CC849AEBBB9BF04254B945679EC1DEB251D731DA40CB50
                                                                    Function 03E248CD Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 03E2490E
                                                                    • SetLastError.KERNEL32(0000006F,?,?), ref: 03E24928
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastModuleName
                                                                    • String ID:
                                                                    • API String ID: 2776309574-0
                                                                    • Opcode ID: b2f9c12c8be91b42b4593260b20a4892d3f3339c20e9d6968bfc0d8a7bcc1161
                                                                    • Instruction ID: 3849180d630c780d5d17455dafa2e3dbd5e9f81b4920b797d35e1a0e4a80df2a
                                                                    • Opcode Fuzzy Hash: b2f9c12c8be91b42b4593260b20a4892d3f3339c20e9d6968bfc0d8a7bcc1161
                                                                    • Instruction Fuzzy Hash: 6B213C719003689AEB30DFAAD8887EEBBF8BF05318F14461ED469DA2C0DBB45148CF41
                                                                    Function 004193B3 Relevance: 3.1, APIs: 2, Instructions: 54libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?), ref: 004193D6
                                                                    • GetProcAddress.KERNEL32(?,?), ref: 00419411
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID:
                                                                    • API String ID: 1646373207-0
                                                                    • Opcode ID: 03a68dd1fff11b85306db9616907aeedd7f08571911f758e808585bd93c8d563
                                                                    • Instruction ID: 530bce34981756e91e4fc75d7d9b649b400ac082c87b22d028876410e9698bdc
                                                                    • Opcode Fuzzy Hash: 03a68dd1fff11b85306db9616907aeedd7f08571911f758e808585bd93c8d563
                                                                    • Instruction Fuzzy Hash: B91130B25083558FDB10CF15D8D0A9BB7E8FF98724F15041AEC95A7341D638AC458B66
                                                                    Function 03EBA1D0 Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA1F1
                                                                    • GetLastError.KERNEL32(?,?,?,03E1D02D,?,?,03F6A3B0), ref: 03EBA207
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 1214770103-0
                                                                    • Opcode ID: 0f852496e104a157c10feb904c2ec260c098c6773682e6ab39349b08864f720c
                                                                    • Instruction ID: e1623f2e4ef27f14ffca72a2971a4297222988164814df42622b62f1b2fdfcce
                                                                    • Opcode Fuzzy Hash: 0f852496e104a157c10feb904c2ec260c098c6773682e6ab39349b08864f720c
                                                                    • Instruction Fuzzy Hash: EEF0AFB1300310AFD620EB29EC44F67F7ECEF94720F008A2AF555DB284C6B1A840CBA0
                                                                    Function 03E66C4F Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 03E66C80
                                                                    • CreateIconFromResource.USER32(?,?,00000001,00030000), ref: 03E66C9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFromIconResource
                                                                    • String ID:
                                                                    • API String ID: 3668623891-0
                                                                    • Opcode ID: 8a88cb24f099fe0b157b2615c96ca2171704cbfb71eae86ac7a048dd249f60ea
                                                                    • Instruction ID: 8a9c23f014468fb21700b67d3427245d5709dd20fe21244b6e796b93c35e0cfd
                                                                    • Opcode Fuzzy Hash: 8a88cb24f099fe0b157b2615c96ca2171704cbfb71eae86ac7a048dd249f60ea
                                                                    • Instruction Fuzzy Hash: AAF06D31260B10ABCB31CE25DC04FA7B7BAEF84758F088A1CB54A961D0C3B2E851CB50
                                                                    Function 03E3C209 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,03E397F1,00000001), ref: 03E3C21A
                                                                    • HeapDestroy.KERNEL32 ref: 03E3C250
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$CreateDestroy
                                                                    • String ID:
                                                                    • API String ID: 3296620671-0
                                                                    • Opcode ID: 16a61ed9fb25976933fb3bbea7919009a389803b47107a1817f16f7f1cb84fa4
                                                                    • Instruction ID: a068c8dcdd396ab8eba90d5998ce7cda7d18930a3fbc7a5514336b17fb5deb21
                                                                    • Opcode Fuzzy Hash: 16a61ed9fb25976933fb3bbea7919009a389803b47107a1817f16f7f1cb84fa4
                                                                    • Instruction Fuzzy Hash: 38E06D706993159EEB60FF70BD0D32636F8AB4568AF202565E401E90ACFBA0C250D601
                                                                    Function 03E774D8 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(00000080,C0000000,00000005,00000000,00000002,00000080,00000000,03E7E440,00000001,?,00000008,?,00000000), ref: 03E774FD
                                                                    • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00000001,?,?,00000001,?,?,00000001,?,?), ref: 03E77508
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 1214770103-0
                                                                    • Opcode ID: e329deef926f941ed19e851ca72921cde92d0cfd7e05fe4104e7de56164cf22b
                                                                    • Instruction ID: 93c0c891e8e1586ad493de3926f7b52358ed7ad1de95acd7ab4c3dfa7cbf1275
                                                                    • Opcode Fuzzy Hash: e329deef926f941ed19e851ca72921cde92d0cfd7e05fe4104e7de56164cf22b
                                                                    • Instruction Fuzzy Hash: F9D05E321516402AEA111A34AC0BF6937A4EF41734FA88F40F2F0E80E1E36895109508
                                                                    Function 03E37260 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___crtCorExitProcess.LIBCMT ref: 03E37264
                                                                      • Part of subcall function 03E3723A: GetModuleHandleA.KERNEL32(mscoree.dll,03E37269,000A0000,03E3B5ED,000000FF,0000001E,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80,0000000C), ref: 03E3723F
                                                                      • Part of subcall function 03E3723A: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 03E3724F
                                                                    • ExitProcess.KERNEL32 ref: 03E3726E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                    • String ID:
                                                                    • API String ID: 2427264223-0
                                                                    • Opcode ID: 0363ca11a2cf3b388ea268eeacfe30dc5a3977c8c0fea796c357dcaf87d3e6e5
                                                                    • Instruction ID: 7a303a42507aff9dc871463e3ce0d9cd9b56864dc498ee2849cab8897b4321c4
                                                                    • Opcode Fuzzy Hash: 0363ca11a2cf3b388ea268eeacfe30dc5a3977c8c0fea796c357dcaf87d3e6e5
                                                                    • Instruction Fuzzy Hash: 5DB09270008200EAD6022B10ED0A41A7B62AF80600B008528F048040609B314C20AA01
                                                                    Function 03E1DB30 Relevance: 1.7, APIs: 1, Instructions: 192memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E1F410: _memset.LIBCMT ref: 03E1F479
                                                                      • Part of subcall function 03E1F410: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 03E1F4B9
                                                                      • Part of subcall function 03E1F410: VerSetConditionMask.NTDLL(00000000,00000000,00000001,00000003), ref: 03E1F4D1
                                                                      • Part of subcall function 03E1F410: VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000,00000000), ref: 03E1F4EE
                                                                      • Part of subcall function 03E1F410: GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 03E1F501
                                                                    • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 03E1DD22
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ConditionMask$HandleInfoModuleProtectVerifyVersionVirtual_memset
                                                                    • String ID:
                                                                    • API String ID: 602170194-0
                                                                    • Opcode ID: bf10e31714bf47f01c50f4ba7b86d90b2968135b3c8366608ca7a22242622682
                                                                    • Instruction ID: dab35c0a7fd8e642575c973e10988cd7af9d624a431a16c7f2f568e91bf18732
                                                                    • Opcode Fuzzy Hash: bf10e31714bf47f01c50f4ba7b86d90b2968135b3c8366608ca7a22242622682
                                                                    • Instruction Fuzzy Hash: 139196B5A00208DFDB04DF94C898BEEBBB1FF48328F18A658D4056B391D775A995CF90
                                                                    Function 03E88417 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysFreeString.OLEAUT32(?), ref: 03E88501
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString
                                                                    • String ID:
                                                                    • API String ID: 3341692771-0
                                                                    • Opcode ID: 33d130cbcf2bd67b6a24bb59d96dd57a2471c1861b06c6282c2ce4d5a2eec7af
                                                                    • Instruction ID: 7fa58f00e2a36676ee088a42f2d7569442a56f178b1e048550c532ae12eaba26
                                                                    • Opcode Fuzzy Hash: 33d130cbcf2bd67b6a24bb59d96dd57a2471c1861b06c6282c2ce4d5a2eec7af
                                                                    • Instruction Fuzzy Hash: 43315B72E00209EFDF10EFD5D8849ADBBB9BF44318B6496ADE90DDB250D7309A41CB10
                                                                    Function 03E88821 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: aab7e45784c9029549398b535b3330bb6dbde6f3802050bba833073398bba86a
                                                                    • Instruction ID: 78e953282aa34de435df935132c56c4d85c271c9d5eade57f88e2107c0f70cfb
                                                                    • Opcode Fuzzy Hash: aab7e45784c9029549398b535b3330bb6dbde6f3802050bba833073398bba86a
                                                                    • Instruction Fuzzy Hash: 2C31A032C00218EFDF21FF94E9045DDBBB8AF44319F986726ED1D96144D7318651DB52
                                                                    Function 03E14B31 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 2001391462-0
                                                                    • Opcode ID: 8aace5813858970978c17c013c3895aedfd7406d9cc5a7059d0df76889804878
                                                                    • Instruction ID: 440929efe5d7a298e49f442713ba58c501a0498d077276f2722324d4e84b0f80
                                                                    • Opcode Fuzzy Hash: 8aace5813858970978c17c013c3895aedfd7406d9cc5a7059d0df76889804878
                                                                    • Instruction Fuzzy Hash: 7E212AB4D0424ADFDB08CF99C491ABEBBB1AF54304F148199D9156B381C275AA91CFD0
                                                                    Function 03E202E1 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E20251: GetVersion.KERNEL32(?,?,03E202EF,?,03E1EAB6), ref: 03E20255
                                                                      • Part of subcall function 03E20251: CreateFileA.KERNEL32(00000000,03E202EF,?,03E1EAB6), ref: 03E2027A
                                                                      • Part of subcall function 03E20251: CloseHandle.KERNEL32(000000FF), ref: 03E2028D
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E2033B
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateException@8FileHandleThrowVersion
                                                                    • String ID:
                                                                    • API String ID: 1047297254-0
                                                                    • Opcode ID: d33d6d87773aa31c70f8583fe7fcab6393a3db1ed595db2404c94c7673fb0db1
                                                                    • Instruction ID: 20541800712b50498777010ad665275927e857dabb1acfd9ec2f5ead5d8efd92
                                                                    • Opcode Fuzzy Hash: d33d6d87773aa31c70f8583fe7fcab6393a3db1ed595db2404c94c7673fb0db1
                                                                    • Instruction Fuzzy Hash: CF011974A00218EFCB04DBA0C5809ADBB76BB44318F5066D9D805AF381D730EE95CB80
                                                                    Function 03E7747D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(00000000,03E74C6B,?,00000000,?,?,[varPassword],?,?,?), ref: 03E77481
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: cf60b0fe108169ed6db134d837977df77ac3cde78231adc99055fe042cd1a0cf
                                                                    • Instruction ID: 1a2996e0f88ce983b4fe89217a4fff985bb0e37f41acdaed6c082bbf728ee67c
                                                                    • Opcode Fuzzy Hash: cf60b0fe108169ed6db134d837977df77ac3cde78231adc99055fe042cd1a0cf
                                                                    • Instruction Fuzzy Hash: 8DE0DF3430121146DF3D813469A603E2D669F4122876C2B6EE0E7C04F0F614C8905012
                                                                    Function 03E774C6 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,03E74D39,00000000), ref: 03E774CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: d959cbfbc24a36bdd4415175521f72bf49cb0ed92694962703bebbb2eaddb85d
                                                                    • Instruction ID: 9a6b3024ad5275b20a013552a6002d1173a83f1973af613fec36c9490ce39e08
                                                                    • Opcode Fuzzy Hash: d959cbfbc24a36bdd4415175521f72bf49cb0ed92694962703bebbb2eaddb85d
                                                                    • Instruction Fuzzy Hash: 4FB0123019501A468E003A30DC0D4263A52DB91603B0047107002C10A4CF2044106500
                                                                    Function 03E7DC25 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileAttributesA.KERNELBASE(?,?,03E74D56,?,?), ref: 03E7DC2D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 197bc3e5e3eb6c6d8b38b570106d46af2bd7c0379a485210fdbc335e632486f2
                                                                    • Instruction ID: 40811136030c964eda885e963257cb9ae4246e7b9f97e23321bc8bc4b158188a
                                                                    • Opcode Fuzzy Hash: 197bc3e5e3eb6c6d8b38b570106d46af2bd7c0379a485210fdbc335e632486f2
                                                                    • Instruction Fuzzy Hash: B3A00235405111ABCE015B51ED0495E7F62AFC4351F004554B14940034C73144A5DB02
                                                                    Function 03E7DC34 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(?,03E74C93,?,?,?,?,?,?,[varPassword],?,?,?), ref: 03E7DC38
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: ea83c066aeaca0a3b30123ba58aea7619dc219f7badc51dd100d5a61cb430670
                                                                    • Instruction ID: ba959ca3ef79b1450d9b9d1a163846c7a55489bbc2435fac0d3d797d6ea2fd43
                                                                    • Opcode Fuzzy Hash: ea83c066aeaca0a3b30123ba58aea7619dc219f7badc51dd100d5a61cb430670
                                                                    • Instruction Fuzzy Hash: A99002709061109BCE016B12FF0951A7EA6AFD5701B004554A54940024C7318821EA01
                                                                    Function 03E883EB Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 03E883ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize
                                                                    • String ID:
                                                                    • API String ID: 2538663250-0
                                                                    • Opcode ID: a03d2f5bd08c7675a7b22c88a9a94d9432e02238bfb681998ac0a54a1c381780
                                                                    • Instruction ID: ff5b898cb23e094afe15ac1f834b0006f72f1d5b0d03840548f292ece66cf61f
                                                                    • Opcode Fuzzy Hash: a03d2f5bd08c7675a7b22c88a9a94d9432e02238bfb681998ac0a54a1c381780
                                                                    • Instruction Fuzzy Hash: D0D05E326662109FC781EB308D0432732E5AB8960AFE419A8D88EC9050E7748C42E600

                                                                    Non-executed Functions

                                                                    Function 03E8B2B0 Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 241windowlibrarynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 03E8B32E
                                                                    • _sprintf.LIBCMT ref: 03E8B34D
                                                                    • BeginPaint.USER32(?,?), ref: 03E8B35B
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 03E8B366
                                                                    • TextOutA.GDI32(00000000,0000000A,00000032,?,?), ref: 03E8B38B
                                                                    • EndPaint.USER32(?,?), ref: 03E8B398
                                                                    • SendMessageA.USER32(00000406,00000000,?), ref: 03E8B3BB
                                                                    • SendMessageA.USER32(00000409,00000000,00FF0000), ref: 03E8B3CE
                                                                    • NtdllDefWindowProc_A.NTDLL(?,?,0000040A,?), ref: 03E8B3F5
                                                                    • EndDialog.USER32(?,00000000), ref: 03E8B425
                                                                    • EndDialog.USER32(?,00000000), ref: 03E8B442
                                                                    • BeginPaint.USER32(?,?), ref: 03E8B457
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 03E8B462
                                                                    • SendMessageA.USER32(03F7AD98,00000402,00000000), ref: 03E8B484
                                                                    • SendMessageA.USER32(0000000F,00000000,00000000), ref: 03E8B490
                                                                    • _sprintf.LIBCMT ref: 03E8B49E
                                                                    • TextOutA.GDI32(00000000,0000000A,0000002D,?,?), ref: 03E8B4CA
                                                                    • _sprintf.LIBCMT ref: 03E8B4E8
                                                                    • _sprintf.LIBCMT ref: 03E8B504
                                                                    • TextOutA.GDI32(00000000,0000000A,00000041,?,?), ref: 03E8B52B
                                                                    • EndPaint.USER32(?,?), ref: 03E8B534
                                                                    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 03E8B54F
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 03E8B561
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 03E8B577
                                                                    • CreateWindowExA.USER32(00000000,03F4A7C8,00000000,50000000,0000000A,00000012,00000110,00000014,00000020,00000000,00000000,00000000), ref: 03E8B5A3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePaintSend_sprintf$Text$BeginDialogLibraryModeWindow$AddressCreateFreeInvalidateLoadNtdllProcProc_Rect
                                                                    • String ID: $InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 951144376-449265142
                                                                    • Opcode ID: dea82cf1a267ae9e37b6ffc1aebf214db30170be80998c0bbcbaea4a0b4a1adc
                                                                    • Instruction ID: 02a1b6335af2548e61e3cc3efa97bbfa9010f6ed9ededa81259b59b9dda42132
                                                                    • Opcode Fuzzy Hash: dea82cf1a267ae9e37b6ffc1aebf214db30170be80998c0bbcbaea4a0b4a1adc
                                                                    • Instruction Fuzzy Hash: 6281ABB190221AAFDF11FF60EC89EAE7BBEEB04701F044266F60DA6254D7B09D55CB50
                                                                    Function 03E8C32A Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 444memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E8C34C
                                                                    • _memset.LIBCMT ref: 03E8C363
                                                                    • _memset.LIBCMT ref: 03E8C377
                                                                    • GlobalAlloc.KERNEL32(00000040,00000400,?,?,?,?,?,?,00004000,00000026,00000001), ref: 03E8C3CF
                                                                    • GlobalFix.KERNEL32(?), ref: 03E8C3E7
                                                                    • _sprintf.LIBCMT ref: 03E8C402
                                                                    • _sprintf.LIBCMT ref: 03E8C427
                                                                    • _sprintf.LIBCMT ref: 03E8C43B
                                                                    • _sprintf.LIBCMT ref: 03E8C450
                                                                    • _sprintf.LIBCMT ref: 03E8C461
                                                                    • _sprintf.LIBCMT ref: 03E8C477
                                                                    • _sprintf.LIBCMT ref: 03E8C488
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8C4C9
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8C4F2
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00004000,00000026,00000001), ref: 03E8C534
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8C567
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00004000,00000026,00000001), ref: 03E8C735
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf$Global$Free_memset$ErrorLast$Alloc
                                                                    • String ID: ---------------------------1234567890123
                                                                    • API String ID: 1616597271-2513617255
                                                                    • Opcode ID: e54265e9ff4e10da34f0739b2b6e80a10f4d986cfa998d6646723638a7158d2c
                                                                    • Instruction ID: 046ae9515dac405be020e41acf980009d2d2adc1bd170feae1e52451c219e342
                                                                    • Opcode Fuzzy Hash: e54265e9ff4e10da34f0739b2b6e80a10f4d986cfa998d6646723638a7158d2c
                                                                    • Instruction Fuzzy Hash: 89F19E71941209AFDB20EFA4CC88EEFBBB9FF05304F245569F55EA6140DB31AA44CB64
                                                                    Function 03E71494 Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 409memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFix.KERNEL32(?), ref: 03E714C0
                                                                      • Part of subcall function 03E77D73: GetLocalTime.KERNEL32(?,?,?,?,00000000,?,?,?,03E757BB,?,?,?,?,?,?), ref: 03E77D7D
                                                                      • Part of subcall function 03E77D73: _rand.LIBCMT ref: 03E77DB8
                                                                    • FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00004000), ref: 03E7180E
                                                                    • __itoa.LIBCMT ref: 03E71835
                                                                    • GetLastError.KERNEL32 ref: 03E71907
                                                                    • GlobalAlloc.KERNEL32(00000040,00000108), ref: 03E71929
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E7193D
                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 03E71966
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocCloseErrorFindLastLocalTimeWire__itoa_rand
                                                                    • String ID: .net$\$\$d$d
                                                                    • API String ID: 2060086123-836287405
                                                                    • Opcode ID: 661e6e6b4bb3da33c8a0f27a38e0d3b352e81e93aeae89cfac69f60ba014b4fd
                                                                    • Instruction ID: d3cfa6be561d8acb29cb959fbca10cc442f3e64f2c3bd74810ea124287eb9c3a
                                                                    • Opcode Fuzzy Hash: 661e6e6b4bb3da33c8a0f27a38e0d3b352e81e93aeae89cfac69f60ba014b4fd
                                                                    • Instruction Fuzzy Hash: 0CE1F47190025DAFCF21EF64DC98AFA7BBDEB05304F5856E5E985E7100E7309A98CB50
                                                                    Function 03E8B7D6 Relevance: 31.7, APIs: 21, Instructions: 154libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(03F4A9E0,00004000,00000000,03E8C4BD,00000001,00004000), ref: 03E8B807
                                                                    • GetProcAddress.KERNEL32(00000000,03F4A9C4), ref: 03E8B82C
                                                                    • GetProcAddress.KERNEL32(?,03F4A9B4), ref: 03E8B83F
                                                                    • GetProcAddress.KERNEL32(?,03F4A9A0), ref: 03E8B852
                                                                    • GetProcAddress.KERNEL32(?,03F4A98C), ref: 03E8B865
                                                                    • GetProcAddress.KERNEL32(?,03F4A974), ref: 03E8B878
                                                                    • GetProcAddress.KERNEL32(?,03F4A964), ref: 03E8B88B
                                                                    • GetProcAddress.KERNEL32(?,03F4A950), ref: 03E8B89E
                                                                    • GetProcAddress.KERNEL32(?,03F4A93C), ref: 03E8B8B1
                                                                    • GetProcAddress.KERNEL32(?,03F4A928), ref: 03E8B92B
                                                                    • GetProcAddress.KERNEL32(?,03F4A914), ref: 03E8B93E
                                                                    • GetProcAddress.KERNEL32(?,03F4A900), ref: 03E8B951
                                                                    • GetProcAddress.KERNEL32(?,03F4A8EC), ref: 03E8B964
                                                                    • GetProcAddress.KERNEL32(?,03F4A8D4), ref: 03E8B977
                                                                    • GetProcAddress.KERNEL32(?,03F4A8C0), ref: 03E8B98A
                                                                    • GetProcAddress.KERNEL32(?,03F4A8B0), ref: 03E8B99D
                                                                    • GetProcAddress.KERNEL32(?,03F4A8A0), ref: 03E8B9B0
                                                                    • GetProcAddress.KERNEL32(?,03F4A88C), ref: 03E8B9C3
                                                                    • GetProcAddress.KERNEL32(?,03F4A87C), ref: 03E8B9D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 2238633743-0
                                                                    • Opcode ID: 62f4082cfa3341f34efcc51207b355b6ff601025a2db9268e2a46e15f6b417d8
                                                                    • Instruction ID: d875f76f0395a731b90bb888499e1d3d73777109f7a38d9efc4b8052d0c04f61
                                                                    • Opcode Fuzzy Hash: 62f4082cfa3341f34efcc51207b355b6ff601025a2db9268e2a46e15f6b417d8
                                                                    • Instruction Fuzzy Hash: D951D875942B42AFCF70EFB5888DAABFEE4EB45304F154A6ED4BE52121DB74A040DE01
                                                                    Function 03E314BB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strcpy_s.LIBCMT ref: 03E314F9
                                                                    • __snprintf_s.LIBCMT ref: 03E31530
                                                                      • Part of subcall function 03E38F35: __vsnprintf_s_l.LIBCMT ref: 03E38F4A
                                                                    • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004,00000000), ref: 03E3155E
                                                                    • PathFindFileNameA.SHLWAPI(?,?,?,?,?,00000020,00000000), ref: 03E31580
                                                                    • _memset.LIBCMT ref: 03E31596
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,?,?,?,?,?,?,?,00000020,00000000), ref: 03E315A3
                                                                    • GetProcAddress.KERNEL32(00000000,FindActCtxSectionStringA), ref: 03E315B3
                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000020,00000000), ref: 03E315D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFileFindHandleInfoLibraryLoadLocaleModuleNamePathProc__snprintf_s__vsnprintf_s_l_memset_strcpy_s
                                                                    • String ID: FindActCtxSectionStringA$KERNEL32$LOC
                                                                    • API String ID: 3780305978-185049223
                                                                    • Opcode ID: 36a27bfffcda6aa1dd82cf4835fdb968491e426fd8eda4f6a78a9efd07fa22c5
                                                                    • Instruction ID: 9e3cf6847d3522994fe9bd6f602f6c54e8c0a9861509fbae9436dc15f7e076ef
                                                                    • Opcode Fuzzy Hash: 36a27bfffcda6aa1dd82cf4835fdb968491e426fd8eda4f6a78a9efd07fa22c5
                                                                    • Instruction Fuzzy Hash: 353194B1900218BFDF24FBA5EC89EEE77BDEF06304F045629F116EA190DA704945CB60
                                                                    Function 03E7E74D Relevance: 16.6, APIs: 11, Instructions: 83serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 03E7E75D
                                                                    • GetLastError.KERNEL32 ref: 03E7E76A
                                                                    • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 03E7E782
                                                                    • GetLastError.KERNEL32 ref: 03E7E78E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastOpen$ManagerService
                                                                    • String ID:
                                                                    • API String ID: 3226715057-0
                                                                    • Opcode ID: d8ce2edcad818be8612f061aebecd9bf1a0ed3542b9478a60a23a0fa24ec5d34
                                                                    • Instruction ID: 9ef6310a8ad5be585d6d624eec45a4d3c2c2710fbe99e59a62632a3ec81f6ea5
                                                                    • Opcode Fuzzy Hash: d8ce2edcad818be8612f061aebecd9bf1a0ed3542b9478a60a23a0fa24ec5d34
                                                                    • Instruction Fuzzy Hash: DF21E132601235EBE714B7B5BD8CABE3A7CEB88785F140675F602D6144D6248950C790
                                                                    Function 03E2D0FD Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 234COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: @$@$AfxControlBar80s$AfxFrameOrView80s$AfxMDIFrame80s$AfxOleControl80s$AfxWnd80s
                                                                    • API String ID: 2102423945-3207598521
                                                                    • Opcode ID: 800a526e8dd8aad0e74b650612dd640dbf8b81f792c8067247b9d9b0db5719d3
                                                                    • Instruction ID: 595663464c750c08ca2b89a201a46eac39f83e526bd672f58c7250df0545e1cc
                                                                    • Opcode Fuzzy Hash: 800a526e8dd8aad0e74b650612dd640dbf8b81f792c8067247b9d9b0db5719d3
                                                                    • Instruction Fuzzy Hash: 14813DB6C00269AEDB50DFA5D984BDEFFF8AF04344F14A265EA18E6180E774D644CB90
                                                                    Function 03E7EC8F Relevance: 13.6, APIs: 9, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E7ECAE
                                                                    • _sprintf.LIBCMT ref: 03E7ED1D
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,00000000,03E74201,00000000,?,00000000), ref: 03E7ED5B
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 03E7ED67
                                                                    • _malloc.LIBCMT ref: 03E7ED6C
                                                                    • _malloc.LIBCMT ref: 03E7ED7C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc$AccountErrorLastLookupName_memset_sprintf
                                                                    • String ID:
                                                                    • API String ID: 2838544775-0
                                                                    • Opcode ID: b578d83a8c554edc02717262a5a6628fac3fc8195779ce9ad7aaeee889ef40cb
                                                                    • Instruction ID: 9ed8ae09dc718005cc19d9f7e2dd313979408c59da9adb7281fd303f421ef516
                                                                    • Opcode Fuzzy Hash: b578d83a8c554edc02717262a5a6628fac3fc8195779ce9ad7aaeee889ef40cb
                                                                    • Instruction Fuzzy Hash: FB41BC7680021DFFCF11EFA89C84DEEBBBDEB49204F1496E6E615E6110E6319A54CB60
                                                                    Function 03E33FEB Relevance: 12.1, APIs: 8, Instructions: 143filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E3400A
                                                                    • GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 03E3404B
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    • PathIsUNCA.SHLWAPI(?,00000000), ref: 03E340AF
                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 03E340CD
                                                                    • CharUpperA.USER32(?), ref: 03E340F4
                                                                    • FindFirstFileA.KERNEL32(?,00000000), ref: 03E34107
                                                                    • FindClose.KERNEL32(00000000), ref: 03E34113
                                                                    • lstrlen.KERNEL32(?), ref: 03E34128
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FindH_prolog3Path$CharCloseException@8FileFirstFullInformationNameThrowUpperVolumelstrlen
                                                                    • String ID:
                                                                    • API String ID: 4099955704-0
                                                                    • Opcode ID: 9637068d3ec6e3e5efd1d36e1ff8cf00b54cd147bace4ad5d38d4c4a54a1d166
                                                                    • Instruction ID: 2a7fc1333892d93c43a6fb8eee1dbf414437b3b5fbb9031d5ef553555c11d287
                                                                    • Opcode Fuzzy Hash: 9637068d3ec6e3e5efd1d36e1ff8cf00b54cd147bace4ad5d38d4c4a54a1d166
                                                                    • Instruction Fuzzy Hash: CD41B175A0021A9BDF14EFA2DC88BFF7B78EF46318F041318E916AA1C0DB349915CE21
                                                                    Function 03EC92F4 Relevance: 10.6, APIs: 7, Instructions: 68windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyState.USER32(00000011), ref: 03EC9305
                                                                    • GetKeyState.USER32(00000010), ref: 03EC9318
                                                                    • GetFocus.USER32 ref: 03EC9328
                                                                    • GetDesktopWindow.USER32 ref: 03EC9330
                                                                    • SendMessageA.USER32(?,0000020A,?,?), ref: 03EC9354
                                                                    • SendMessageA.USER32(00000000,0000020A,?,?), ref: 03EC9373
                                                                    • GetParent.USER32(00000000), ref: 03EC937C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendState$DesktopFocusParentWindow
                                                                    • String ID:
                                                                    • API String ID: 4150626516-0
                                                                    • Opcode ID: 02d1f93d4446957a656ea3d554ff1cb733e3b024ba18c1c2ee31a85b1ae4f07a
                                                                    • Instruction ID: d2194ee0a58c2c5da0b36f21534bf837a23c3a0a6ef071a83892ddee9ccfd97f
                                                                    • Opcode Fuzzy Hash: 02d1f93d4446957a656ea3d554ff1cb733e3b024ba18c1c2ee31a85b1ae4f07a
                                                                    • Instruction Fuzzy Hash: E311C131A11364BBDB1056AA9D44ABE77ACEF44754F050616FD41D7182D7B0FD12C6B0
                                                                    Function 03E36878 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 03E3CA3E
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03E3CA53
                                                                    • UnhandledExceptionFilter.KERNEL32(03EE00BC), ref: 03E3CA5E
                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 03E3CA7A
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 03E3CA81
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 2579439406-0
                                                                    • Opcode ID: c15c650e7f5c8de5cefabb25957447adbf6eddc7f600334a72b2e11957d61281
                                                                    • Instruction ID: cd39c3407809d7fc0ebb1841ad5ec6014d39a7e4a14cdf8e8242900f03024b86
                                                                    • Opcode Fuzzy Hash: c15c650e7f5c8de5cefabb25957447adbf6eddc7f600334a72b2e11957d61281
                                                                    • Instruction Fuzzy Hash: C921E0B4402308DFEB50FF29F5A96967BF4FB49311F50561AE90897298E7F05984CF05
                                                                    Function 03E2CEA4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __snprintf_s.LIBCMT ref: 03E2CEEF
                                                                      • Part of subcall function 03E38F35: __vsnprintf_s_l.LIBCMT ref: 03E38F4A
                                                                    • __snprintf_s.LIBCMT ref: 03E2CF21
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __snprintf_s$__vsnprintf_s_l
                                                                    • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                                                                    • API String ID: 1538267442-2801496823
                                                                    • Opcode ID: 5b8f9e03d08c5844d3cecd287465cc1fe6cf9b045f726b3b49ad9e414e9ded1b
                                                                    • Instruction ID: 93acff10a38b565319d80c7777d24e767c8873eb25d32023a959631e41b46a78
                                                                    • Opcode Fuzzy Hash: 5b8f9e03d08c5844d3cecd287465cc1fe6cf9b045f726b3b49ad9e414e9ded1b
                                                                    • Instruction Fuzzy Hash: 143161B5E00328AFCB11EFA5C84099EBBF9FF49350F145266E954AB250D7708950CF62
                                                                    Function 03ECC061 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(?,?,000000F0), ref: 03ECC085
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 03ECC091
                                                                    • LockResource.KERNEL32(00000000), ref: 03ECC09F
                                                                    • FreeResource.KERNEL32(00000000), ref: 03ECC0CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLock
                                                                    • String ID:
                                                                    • API String ID: 1078018258-0
                                                                    • Opcode ID: 09c68f8507d9970e80dff62c24131b627a4ebb8bff3324a18fc9ac1dc698ced6
                                                                    • Instruction ID: 781a2ca960bb0e53ebfa4f2a67287034fe8c6fe04cf65803a5d44a3f906e6b28
                                                                    • Opcode Fuzzy Hash: 09c68f8507d9970e80dff62c24131b627a4ebb8bff3324a18fc9ac1dc698ced6
                                                                    • Instruction Fuzzy Hash: C0116A31201218EFCB20DF96D949B9EBBB9FF04219F14812CF90A97290CB719912CF20
                                                                    Function 03E2A861 Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E2D50C: GetWindowLongA.USER32(?,000000F0), ref: 03E2D517
                                                                    • GetKeyState.USER32(00000010), ref: 03E2A885
                                                                    • GetKeyState.USER32(00000011), ref: 03E2A88E
                                                                    • GetKeyState.USER32(00000012), ref: 03E2A897
                                                                    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 03E2A8AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: State$LongMessageSendWindow
                                                                    • String ID:
                                                                    • API String ID: 1063413437-0
                                                                    • Opcode ID: 35ce86c718bb75b0f3fc06460a11b6cef488875edf10604078c12a4502a1b244
                                                                    • Instruction ID: 2c86eeaedc62e5f26f887852bf45b323e617325bb4f43362302a3522afbf3041
                                                                    • Opcode Fuzzy Hash: 35ce86c718bb75b0f3fc06460a11b6cef488875edf10604078c12a4502a1b244
                                                                    • Instruction Fuzzy Hash: D8F0E23A7C037A26FA28B2745C05FEA99288F50B95F042B30AE42EE0C5CD91C4020770
                                                                    Function 03E52780 Relevance: 6.0, APIs: 4, Instructions: 36nativetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 03E527A7
                                                                    • GetClientRect.USER32(?,?), ref: 03E527B6
                                                                    • MoveWindow.USER32(?,?,?,?,00000001), ref: 03E527D0
                                                                    • KillTimer.USER32(?,00000001), ref: 03E527DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientKillMoveNtdllProc_RectTimer
                                                                    • String ID:
                                                                    • API String ID: 3914955417-0
                                                                    • Opcode ID: e212a43b603e4b54d2511683fc54dbdc3b473107d1d68f03d1bd5b048dc65604
                                                                    • Instruction ID: b5859e4cc80c891304f96d14be065416cfd3d2cc5a7f23762517b27ec516f48c
                                                                    • Opcode Fuzzy Hash: e212a43b603e4b54d2511683fc54dbdc3b473107d1d68f03d1bd5b048dc65604
                                                                    • Instruction Fuzzy Hash: 7EF0E73241000DFBCF06EFA5ED089AEBF72FF08344F085A10FA1594064C7B29660EB50
                                                                    Function 03E2CE93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E2590D: RtlLeaveCriticalSection.NTDLL(-03F774D9), ref: 03E25924
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E2CE9E
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    • __snprintf_s.LIBCMT ref: 03E2CEEF
                                                                      • Part of subcall function 03E38F35: __vsnprintf_s_l.LIBCMT ref: 03E38F4A
                                                                    • __snprintf_s.LIBCMT ref: 03E2CF21
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __snprintf_s$CriticalExceptionException@8LeaveRaiseSectionThrow__vsnprintf_s_l
                                                                    • String ID: Afx:%p:%x
                                                                    • API String ID: 2263037651-3201128726
                                                                    • Opcode ID: 210000cacd1848f7673bee12cebd778c78c95669af189765e87d0cc9f17e2ef8
                                                                    • Instruction ID: 9974a15566c30124a90ff36a2116356c85e9a461f91be1dbc6b6b6647449457f
                                                                    • Opcode Fuzzy Hash: 210000cacd1848f7673bee12cebd778c78c95669af189765e87d0cc9f17e2ef8
                                                                    • Instruction Fuzzy Hash: A12174B4D003289FDB11EFA9C840ADEBBF8EF09350F145266E954BB250E7708950CFA2
                                                                    Function 03E745CD Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 03E74603
                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 03E7460D
                                                                    • FreeSid.ADVAPI32(00000000,?,?,?,00000000), ref: 03E74618
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateErrorFreeInitializeLast
                                                                    • String ID:
                                                                    • API String ID: 466377068-0
                                                                    • Opcode ID: 32c737fb78737c8a4375290bd9873aea232c8b04480fdb05d9342495e443c6e9
                                                                    • Instruction ID: 16984516701d92d27ea6172422722477a44c68393efe91fce618dc2ba0d6e2f6
                                                                    • Opcode Fuzzy Hash: 32c737fb78737c8a4375290bd9873aea232c8b04480fdb05d9342495e443c6e9
                                                                    • Instruction Fuzzy Hash: BF01FB72905248FFDB11EFE995045DDBFB8EF25204F1441E9D981E3241E2705B44CBA1
                                                                    Function 03EBE021 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetThreadLocale.KERNEL32 ref: 03EBE034
                                                                    • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 03EBE046
                                                                    • GetACP.KERNEL32 ref: 03EBE06F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoThread
                                                                    • String ID:
                                                                    • API String ID: 4232894706-0
                                                                    • Opcode ID: eae39fca5a706aceb994b09783350d727ea2dd53ab7bf8859c669aa9164e60d5
                                                                    • Instruction ID: b587ac31ec5f008953201e33d904c0a6f54de8e83f1ac80538d7135c55bf6a03
                                                                    • Opcode Fuzzy Hash: eae39fca5a706aceb994b09783350d727ea2dd53ab7bf8859c669aa9164e60d5
                                                                    • Instruction Fuzzy Hash: E5F0F631E012286BDB12EFB5B8157EFB7F8AF45B45B1413A9DD81EB244DA20A909C7D0
                                                                    Function 03EBF9F8 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 03EBFA11
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    • IsIconic.USER32(?), ref: 03EBFA3D
                                                                    • GetParent.USER32(?), ref: 03EBFA4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Parent$Exception@8H_prolog3IconicThrow
                                                                    • String ID:
                                                                    • API String ID: 144390861-0
                                                                    • Opcode ID: 4d04f770810b6138642fc85e2d8b55d7bb3832f1eac2ce65552ca60af2b9544d
                                                                    • Instruction ID: 9030586eaee89cf79d7b26dc3ab00661c26903d7d904d80bf587d419bcf1ab80
                                                                    • Opcode Fuzzy Hash: 4d04f770810b6138642fc85e2d8b55d7bb3832f1eac2ce65552ca60af2b9544d
                                                                    • Instruction Fuzzy Hash: 27F09635705611EACA1AEA359C44A9FAEBDFF80999B082735E44587510EF70E812CA60
                                                                    Function 03E27A50 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 565e1a84647ec8202e7beb5d07a08690a421533688ccb7c401418ab920aebc51
                                                                    • Instruction ID: 89de2b5608d9ff17c8e98d936cb6fe00ddfdededee3dd0cbf567d76f840ca3ba
                                                                    • Opcode Fuzzy Hash: 565e1a84647ec8202e7beb5d07a08690a421533688ccb7c401418ab920aebc51
                                                                    • Instruction Fuzzy Hash: B6F03C7110012EAACF02EF76DC08AEE7FBDBF102A4F05A211F806D4062EB72D7118B60
                                                                    Function 03E73BF3 Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID: @$Model$VMWare
                                                                    • API String ID: 1029625771-3116489874
                                                                    • Opcode ID: 4fd66ed4daf124c8a98c78b482273e40e86fd2cea94bef184d0c5bd098ed16da
                                                                    • Instruction ID: 0055d3d15b57dedf10942ed72f7383e5f0128a4d3a81dd6ea09ab503b49b9b97
                                                                    • Opcode Fuzzy Hash: 4fd66ed4daf124c8a98c78b482273e40e86fd2cea94bef184d0c5bd098ed16da
                                                                    • Instruction Fuzzy Hash: FD11597E70530839DE50EA555D82F9F7FADCB849E9F282516F50CA8041E572C90061B0
                                                                    Function 03E2825B Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 03E28282
                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 03E28297
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallNtdllProcProc_
                                                                    • String ID:
                                                                    • API String ID: 1646280189-0
                                                                    • Opcode ID: fe53ecdc033c64846f9ce5b4a21e1040c167ecc29259f769b5a6122688a1bf0a
                                                                    • Instruction ID: 5917c9f18bf21547a4751e3721df62a5b66369dc7e0b75b5fe74da038aebeda9
                                                                    • Opcode Fuzzy Hash: fe53ecdc033c64846f9ce5b4a21e1040c167ecc29259f769b5a6122688a1bf0a
                                                                    • Instruction Fuzzy Hash: 40F09836100619EBCF119F95DC04D9A7FB9FF08251B085569FA4A86520D772E420AF50
                                                                    Function 03E7EF86 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeviceIoControl.KERNEL32(03E7426B,0007C088,?,00000020,?,00000210,03E7F313,00000000), ref: 03E7EFDB
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ControlDevice
                                                                    • String ID:
                                                                    • API String ID: 2352790924-0
                                                                    • Opcode ID: 014fc2f3fb5515a6cd45bf1e1870b04d19ae933d23e81f08eec331f7c9e584dc
                                                                    • Instruction ID: 783cbeea671b825f5cbf71f6e79f590058a5434a02b75eea87b2e3753d02c0f8
                                                                    • Opcode Fuzzy Hash: 014fc2f3fb5515a6cd45bf1e1870b04d19ae933d23e81f08eec331f7c9e584dc
                                                                    • Instruction Fuzzy Hash: ABF0446218A3C49ED7028B689889ED6BF955B36714F0DC5C8F9980F393C1B5D458C771
                                                                    Function 03E2ABA8 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb0e0b69c17f67bf4b990cd5659b2664835d0389edcfb46e343ad54d561b0188
                                                                    • Instruction ID: d7a69679969a6672727e88783ba26e57463e617f4e4b4766bb7d8311e103eb43
                                                                    • Opcode Fuzzy Hash: eb0e0b69c17f67bf4b990cd5659b2664835d0389edcfb46e343ad54d561b0188
                                                                    • Instruction Fuzzy Hash: E4F01C3605163DBBCF129F919E04CEB3F6EEF08255F049661FA1695010CB31D520EFA1
                                                                    Function 03E7EEC3 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,03E741D5,?,?,?,?,?,03E7A5E9,00000000,03E741D5,03E741FB), ref: 03E7EED8
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem
                                                                    • String ID:
                                                                    • API String ID: 31276548-0
                                                                    • Opcode ID: c47fb476c93dc3528670e864995dfb42343cae49e359febd7931830d23a52efd
                                                                    • Instruction ID: 05a3faf73a63abeec71394f1f6368c42816bb746a586d1f889ae0e9f0b560b0a
                                                                    • Opcode Fuzzy Hash: c47fb476c93dc3528670e864995dfb42343cae49e359febd7931830d23a52efd
                                                                    • Instruction Fuzzy Hash: D5E0CD765483885FCF00DFB5D8055DB77F99B8D204F1005A5D801E7241E531D906C761
                                                                    Function 03E79535 Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: J
                                                                    • API String ID: 0-1141589763
                                                                    • Opcode ID: 585661bac9716261fb76fb610074e9a3cf3274d116fb44653ac3c33767e1b62f
                                                                    • Instruction ID: 871565b636ee51f9dd2cc41bf3c34cfdb589427bd0569f17a5c2ce45730ddbef
                                                                    • Opcode Fuzzy Hash: 585661bac9716261fb76fb610074e9a3cf3274d116fb44653ac3c33767e1b62f
                                                                    • Instruction Fuzzy Hash: 8CD01276244A0CCF8740DE59F800A6233F8BB08752F009162F90887B21E3B5B821DF60
                                                                    Function 00425D60 Relevance: .2, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: 0c0f86f4aa59ddc848328b87ba78e1793e656d395758f058012bfe749c1b99b6
                                                                    • Instruction ID: 9bdcb95526df811453d90b7ea37b52a0a7eb44e5df87ced2f403143f4d482bb3
                                                                    • Opcode Fuzzy Hash: 0c0f86f4aa59ddc848328b87ba78e1793e656d395758f058012bfe749c1b99b6
                                                                    • Instruction Fuzzy Hash: 25D17D74A02229CFEB24CF04D994F99F7B2BB48304F1582DAD809AB391C775AE85CF55
                                                                    Function 03E31733 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 235registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E31752
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,0000005C), ref: 03E3177C
                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 03E3178D
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E317C3
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E317CB
                                                                    • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 03E317DF
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E31803
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31809
                                                                    • GetModuleFileNameA.KERNEL32(03E10DB0,00000000,00000105), ref: 03E3184A
                                                                    • GetVersion.KERNEL32 ref: 03E3185F
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 03E31884
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 03E318A9
                                                                    • _sscanf.LIBCMT ref: 03E318C9
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E318FE
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31904
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E31913
                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 03E31923
                                                                    • EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,03E31015,?), ref: 03E3193E
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E3196F
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31975
                                                                    • _memset.LIBCMT ref: 03E3198F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
                                                                    • String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll$p,t
                                                                    • API String ID: 434808117-1319794236
                                                                    • Opcode ID: a7cc831bdfe4fc099900b9020f42c9b7abcb3fa66af70495ed012f223d625f5f
                                                                    • Instruction ID: c925faacb37a6989c34a49060aa3064cc71c75ffe49044a1731d476548e4c184
                                                                    • Opcode Fuzzy Hash: a7cc831bdfe4fc099900b9020f42c9b7abcb3fa66af70495ed012f223d625f5f
                                                                    • Instruction Fuzzy Hash: D5814DB1D002699EDF10EFA5DC48AFEBBB8EF09304F10562AE555E7280D7789A45CB60
                                                                    Function 03E2F7DA Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 432windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E2F7E5
                                                                      • Part of subcall function 03E24DB9: __EH_prolog3.LIBCMT ref: 03E24DC0
                                                                    • _memset.LIBCMT ref: 03E2F81D
                                                                    • GetMenuItemInfoA.USER32(?,?,00000000,?), ref: 03E2F845
                                                                    • GetMenuItemInfoA.USER32(?,?,00000000,00000030), ref: 03E2F86F
                                                                      • Part of subcall function 03E241E2: _strlen.LIBCMT ref: 03E241F5
                                                                    • CopyRect.USER32(?,?), ref: 03E2F890
                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 03E2F8BD
                                                                    • GetSystemMetrics.USER32(00000032), ref: 03E2F8D0
                                                                    • GetSystemMetrics.USER32(00000031), ref: 03E2F8DA
                                                                    • GetSysColor.USER32(00000004), ref: 03E2F91B
                                                                    • CopyRect.USER32(?,?), ref: 03E2F979
                                                                    • GetSysColor.USER32(0000000D), ref: 03E2F98A
                                                                    • GetSysColor.USER32(00000010), ref: 03E2F9BA
                                                                    • GetSysColor.USER32(00000014), ref: 03E2F9BF
                                                                    • GetSysColor.USER32(0000000D), ref: 03E2F9E9
                                                                    • GetSysColor.USER32(0000000E), ref: 03E2FA04
                                                                    • ExtTextOutA.GDI32(?,?,00000030,00000002,00000000,?,?,00000000), ref: 03E2FB68
                                                                      • Part of subcall function 03E3242C: SetBkColor.GDI32(?,?), ref: 03E3244D
                                                                      • Part of subcall function 03E3242C: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 03E32461
                                                                    • GetSysColor.USER32(00000014), ref: 03E2FA40
                                                                      • Part of subcall function 03E2FD2A: SetBkMode.GDI32(?,?), ref: 03E2FD43
                                                                      • Part of subcall function 03E2FD2A: SetBkMode.GDI32(?,?), ref: 03E2FD51
                                                                    • ExtTextOutA.GDI32(?,?,00000002,00000002,00000000,?,?,00000000), ref: 03E2FA96
                                                                    • GetSysColor.USER32(00000011), ref: 03E2FAA3
                                                                    • GetSysColor.USER32(00000014), ref: 03E2FAF7
                                                                    • GetSysColor.USER32(00000010), ref: 03E2FAFC
                                                                    • GetSysColor.USER32(00000007), ref: 03E2FB2C
                                                                    • InflateRect.USER32(00000040,000000FF,000000FF), ref: 03E2FBFA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Color$RectText$CopyH_prolog3InfoItemMenuMetricsModeSystem$InflateObject_memset_strlen
                                                                    • String ID: 0$@
                                                                    • API String ID: 3050049518-1545510068
                                                                    • Opcode ID: dab32aa758d867f996ea3eb34fbfbd5e9c64314cff4b5f3e709467e93c9ceb0e
                                                                    • Instruction ID: 6ec7420cf590d4f44ef8813827eded00f7e5298f89a4c676db800353c0936291
                                                                    • Opcode Fuzzy Hash: dab32aa758d867f996ea3eb34fbfbd5e9c64314cff4b5f3e709467e93c9ceb0e
                                                                    • Instruction Fuzzy Hash: 55F124B5600248AFCF18DFA8C898EAE7BB9FF48344F045219FE1697290CB35E841CB50
                                                                    Function 03E7C9ED Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 282memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysAllocString.OLEAUT32(03F49340), ref: 03E7CAD3
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 03E7CAF3
                                                                    • SysAllocString.OLEAUT32(03F49338), ref: 03E7CB31
                                                                    • _sprintf.LIBCMT ref: 03E7CB48
                                                                    • _memset.LIBCMT ref: 03E7CB5A
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,?,?,000003FF), ref: 03E7CB92
                                                                    • SysAllocString.OLEAUT32(?), ref: 03E7CB9B
                                                                    • SysFreeString.OLEAUT32(00000028), ref: 03E7CBBD
                                                                    • SysFreeString.OLEAUT32(03E7CD3A), ref: 03E7CBE6
                                                                    • _memset.LIBCMT ref: 03E7CC28
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,?,?,000003FF), ref: 03E7CC4E
                                                                    • SysAllocString.OLEAUT32(?), ref: 03E7CC7A
                                                                    • SysFreeString.OLEAUT32(00000028), ref: 03E7CCAD
                                                                    • VariantClear.OLEAUT32(00000008), ref: 03E7CCBE
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 03E7CCD0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String$Free$Alloc$ByteCharMultiWide_memset$ClearVariant_sprintf
                                                                    • String ID: $$$$($.$.$K$K$M$Microsoft Virtual Machine Bus$O
                                                                    • API String ID: 1818697403-2656677058
                                                                    • Opcode ID: d36fbdbe63a3a1af9cad8b31955ef2334b5ecb0498e4c6961f55a906d9dd36c3
                                                                    • Instruction ID: c1770553909edcfd30e66d80ed030484bb27fb3d160e340096d79f996be7a4d7
                                                                    • Opcode Fuzzy Hash: d36fbdbe63a3a1af9cad8b31955ef2334b5ecb0498e4c6961f55a906d9dd36c3
                                                                    • Instruction Fuzzy Hash: FEB177B0900249EFCB10DFE4DC889EEBBBDEF49314F148699F555AB290D7319A46CB60
                                                                    Function 03E79629 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 229windowsleepregistryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E7964A
                                                                      • Part of subcall function 03E77A39: GetFileAttributesA.KERNEL32(00000000), ref: 03E77B03
                                                                    • MessageBoxA.USER32(00000000,03F48C04,03F48C44,00000000), ref: 03E7968F
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E796B8
                                                                    • GetLastError.KERNEL32 ref: 03E796D3
                                                                    • Sleep.KERNEL32(00000032), ref: 03E796EA
                                                                    • RegisterClassA.USER32(00000003), ref: 03E796F4
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 03E79701
                                                                    • CreateWindowExA.USER32(00000000,DPPPDLL32,DPPPDLL32,000A0000,80000000,00000000,80000000,00000000,00000000,00000000,00000000), ref: 03E79717
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 03E79783
                                                                    • WaitForInputIdle.USER32(?,00000BB8), ref: 03E79795
                                                                    • MessageBoxA.USER32(00000000,03F48BE8,03F48C44,00000000), ref: 03E797D3
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E797E3
                                                                    • UnregisterClassA.USER32(DPPPDLL32,00000000), ref: 03E797E7
                                                                    • CloseHandle.KERNEL32(?), ref: 03E797FF
                                                                    • CloseHandle.KERNEL32(?), ref: 03E79804
                                                                    • SendMessageA.USER32(?,0000004A,0000000A,?), ref: 03E7985E
                                                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 03E7986B
                                                                    • FindWindowA.USER32(03F48B84,00000000), ref: 03E79879
                                                                    • Sleep.KERNEL32(00000032), ref: 03E79885
                                                                    • MessageBoxA.USER32(00000000,03F48BA8,03F48C44,00000000), ref: 03E798C0
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E798CC
                                                                    • UnregisterClassA.USER32(DPPPDLL32,00000000), ref: 03E798D0
                                                                    • MessageBoxA.USER32(00000000,03F48B8C,03F48C44,00000000), ref: 03E798F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: HandleMessage$Module$Class$CloseCreateSendSleepUnregisterWindow$AttributesErrorFileFindIdleInputLastProcessRegisterWait_memset
                                                                    • String ID: DPPPDLL32
                                                                    • API String ID: 499993998-646384955
                                                                    • Opcode ID: 98afd7b1d4f90746f10f5f582abda595970dd9e09be67a66513c13255fa03a00
                                                                    • Instruction ID: f9a4d344f49a769264d059550734cf796d6bb05b6fecf01ac3da1b3934026584
                                                                    • Opcode Fuzzy Hash: 98afd7b1d4f90746f10f5f582abda595970dd9e09be67a66513c13255fa03a00
                                                                    • Instruction Fuzzy Hash: DC715AB1941219BEEB10EFA1ED84EEFBE7CEF04799F146259F909A6106D7708940CB60
                                                                    Function 03E8BA7E Relevance: 34.8, APIs: 23, Instructions: 337windowfilememoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000004,00000000,00000000), ref: 03E8BABC
                                                                    • GlobalAlloc.KERNEL32(00000040,00010001), ref: 03E8BB19
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E8BB30
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E8BB58
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8BB68
                                                                    • SendMessageA.USER32(00000000,00000405,00000001,?), ref: 03E8BBC6
                                                                    • PeekMessageA.USER32(?,?,00000000,00000000,00000001), ref: 03E8BBED
                                                                    • UpdateWindow.USER32(?), ref: 03E8BBFA
                                                                    • TranslateMessage.USER32(?), ref: 03E8BC04
                                                                    • DispatchMessageA.USER32(?), ref: 03E8BC0E
                                                                    • SendMessageA.USER32(?,00000405,00000002,?), ref: 03E8BD0E
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E8BD2F
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8BD38
                                                                    • CloseHandle.KERNEL32(?), ref: 03E8BD41
                                                                    • DeleteFileA.KERNEL32(?), ref: 03E8BB3C
                                                                      • Part of subcall function 03E8B1EA: GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B227
                                                                      • Part of subcall function 03E8B1EA: GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B242
                                                                      • Part of subcall function 03E8B1EA: GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B25D
                                                                      • Part of subcall function 03E8B1EA: GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B278
                                                                      • Part of subcall function 03E8B1EA: GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B293
                                                                      • Part of subcall function 03E8B1EA: FreeLibrary.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B29F
                                                                    • DeleteFileA.KERNEL32(?), ref: 03E8BDAD
                                                                      • Part of subcall function 03E8B5C3: GetSysColor.USER32(0000000F), ref: 03E8B5D5
                                                                      • Part of subcall function 03E8B5C3: CreateSolidBrush.GDI32(00000000), ref: 03E8B5DC
                                                                      • Part of subcall function 03E8B5C3: LoadCursorA.USER32(00000000,00007F00), ref: 03E8B5ED
                                                                      • Part of subcall function 03E8B5C3: GetModuleHandleA.KERNEL32(00000000), ref: 03E8B603
                                                                      • Part of subcall function 03E8B5C3: RegisterClassExA.USER32(?), ref: 03E8B626
                                                                      • Part of subcall function 03E8B5C3: CreateWindowExA.USER32(00040001,03F4A86C,03F4A85C,80C00000,00000064,00000064,0000012C,000000A0,00000000,00000000,?,00000000), ref: 03E8B652
                                                                      • Part of subcall function 03E8B5C3: GetWindowRect.USER32(00000000), ref: 03E8B679
                                                                      • Part of subcall function 03E8B5C3: GetWindowRect.USER32(?,?), ref: 03E8B686
                                                                      • Part of subcall function 03E8B5C3: SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 03E8B6D8
                                                                      • Part of subcall function 03E8B5C3: ShowWindow.USER32(?,00000005), ref: 03E8B6E9
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E8BD8F
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8BD98
                                                                    • CloseHandle.KERNEL32(?), ref: 03E8BDA1
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E8BE16
                                                                    • GlobalFree.KERNEL32(?), ref: 03E8BE1F
                                                                    • CloseHandle.KERNEL32(?), ref: 03E8BE28
                                                                    • DeleteFileA.KERNEL32(?), ref: 03E8BE34
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Window$ErrorFreeHandleLastMessage$CloseFile$CreateDeleteWire$RectSend$AllocBrushClassColorCursorDispatchLibraryLoadModulePeekRegisterShowSolidTranslateUpdate
                                                                    • String ID:
                                                                    • API String ID: 513574419-0
                                                                    • Opcode ID: a902872f39692a10c387129ce99fa47d7693db876d56ca66801e3e2482913964
                                                                    • Instruction ID: 95cebd02d9881cd8d05e5e9128f3f848dc969169ffa09cd5ebdc0d50b1eec861
                                                                    • Opcode Fuzzy Hash: a902872f39692a10c387129ce99fa47d7693db876d56ca66801e3e2482913964
                                                                    • Instruction Fuzzy Hash: F5C14A30D4020AFFDB21FBA5EC89AAFBBB9EF84705F14561AF11EA6090D7715A50CB10
                                                                    Function 03E609EF Relevance: 34.8, APIs: 23, Instructions: 255fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E60465: CreateFileA.KERNEL32(00000080,C0000000,00000000,00000000,00000003,00000080,00000000,03E60A14,00000000,?,?,00000518,00000000,00000000), ref: 03E6047B
                                                                      • Part of subcall function 03E60465: GetLastError.KERNEL32 ref: 03E6048C
                                                                    • CloseHandle.KERNEL32(00000000,00000518,00000000,00000000), ref: 03E60A5C
                                                                    • _strlen.LIBCMT ref: 03E60A65
                                                                    • _strncpy.LIBCMT ref: 03E60A74
                                                                    • _strlen.LIBCMT ref: 03E60A82
                                                                    • _strncpy.LIBCMT ref: 03E60A93
                                                                    • GetFileSize.KERNEL32(?,00000000,00000518,00000000,00000000), ref: 03E60ABD
                                                                    • GetFileSize.KERNEL32(?,00000000,00000518,00000000,00000000), ref: 03E60AC7
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E60ADD
                                                                    • _malloc.LIBCMT ref: 03E60AED
                                                                    • _memset.LIBCMT ref: 03E60AFB
                                                                    • ReadFile.KERNEL32(?,?,00000004,00000001,00000000), ref: 03E60B1E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E60B2F
                                                                    • ReadFile.KERNEL32(?,00000200,-00000004,00000001,00000000), ref: 03E60B4D
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E60B5E
                                                                    • _strlen.LIBCMT ref: 03E60B82
                                                                    • CloseHandle.KERNEL32(?), ref: 03E60BD9
                                                                    • _strlen.LIBCMT ref: 03E60BEE
                                                                    • _strncpy.LIBCMT ref: 03E60BFC
                                                                    • _strlen.LIBCMT ref: 03E60C0A
                                                                    • _strncpy.LIBCMT ref: 03E60C1B
                                                                    • _malloc.LIBCMT ref: 03E60C26
                                                                    • _memset.LIBCMT ref: 03E60C3F
                                                                    • _strlen.LIBCMT ref: 03E60C55
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$CloseFileHandle$_strncpy$ReadSize_malloc_memset$CreateErrorLast
                                                                    • String ID:
                                                                    • API String ID: 2849446005-0
                                                                    • Opcode ID: 36e476f8c96c30640b622ebfa3f255df02a104197e8ad2edbda9946fbde84d59
                                                                    • Instruction ID: 17f41d6cb30756412da87a99630093a61951adfcae8fdc627c6e56ffd4ae9847
                                                                    • Opcode Fuzzy Hash: 36e476f8c96c30640b622ebfa3f255df02a104197e8ad2edbda9946fbde84d59
                                                                    • Instruction Fuzzy Hash: 7391AE75944219EFDB20EFA4CC88DAEBBB9EF05388F145A69F986D7240D7309D54CB10
                                                                    Function 03E2BF42 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 03E2BF4C
                                                                      • Part of subcall function 03E24743: __EH_prolog3.LIBCMT ref: 03E2474A
                                                                    • CallNextHookEx.USER32(?,?,?,?), ref: 03E2BF90
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    • GetClassLongA.USER32(?,000000E6), ref: 03E2BFD4
                                                                    • GlobalGetAtomNameA.KERNEL32 ref: 03E2BFFE
                                                                    • SetWindowLongA.USER32(?,000000FC,Function_00019BA8), ref: 03E2C053
                                                                    • _memset.LIBCMT ref: 03E2C09D
                                                                    • GetClassLongA.USER32(?,000000E0), ref: 03E2C0CD
                                                                    • GetClassNameA.USER32(?,?,00000100), ref: 03E2C0EE
                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 03E2C112
                                                                    • GetPropA.USER32(?,AfxOldWndProc423), ref: 03E2C12C
                                                                    • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 03E2C137
                                                                    • GetPropA.USER32(?,AfxOldWndProc423), ref: 03E2C13F
                                                                    • GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 03E2C147
                                                                    • SetWindowLongA.USER32(?,000000FC,Function_0001ADF8), ref: 03E2C155
                                                                    • CallNextHookEx.USER32(?,00000003,?,?), ref: 03E2C16D
                                                                    • UnhookWindowsHookEx.USER32(?), ref: 03E2C181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
                                                                    • String ID: #32768$AfxOldWndProc423$ime
                                                                    • API String ID: 1191297049-4034971020
                                                                    • Opcode ID: a4d17f7309ffa07d54563dc771937e204b5144fb52c2d473e7ec2b36ca299164
                                                                    • Instruction ID: 165e2bc8d1e6cd6fec5b2745867258d98c14b8ee7ff804433af7dc735133f2d0
                                                                    • Opcode Fuzzy Hash: a4d17f7309ffa07d54563dc771937e204b5144fb52c2d473e7ec2b36ca299164
                                                                    • Instruction Fuzzy Hash: 3A61B37150123AAFDB20EB65DC49BEF7FB8AF08365F142394F505A62C1D7709A91CBA0
                                                                    Function 03E3C2D7 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strcpy_s.LIBCMT ref: 03E3C343
                                                                    • __invoke_watson.LIBCMT ref: 03E3C354
                                                                    • GetModuleFileNameA.KERNEL32(00000000,03F79531,00000104,?,03E11FC4,000A0000), ref: 03E3C370
                                                                    • _strcpy_s.LIBCMT ref: 03E3C385
                                                                    • __invoke_watson.LIBCMT ref: 03E3C398
                                                                    • _strlen.LIBCMT ref: 03E3C3A1
                                                                    • _strlen.LIBCMT ref: 03E3C3AE
                                                                    • __invoke_watson.LIBCMT ref: 03E3C3DB
                                                                    • _strcat_s.LIBCMT ref: 03E3C3EE
                                                                    • __invoke_watson.LIBCMT ref: 03E3C3FF
                                                                    • _strcat_s.LIBCMT ref: 03E3C410
                                                                    • __invoke_watson.LIBCMT ref: 03E3C421
                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000001,?,00000000,00000003,03E3C4A3,000000FC,03E3B5DC,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA), ref: 03E3C440
                                                                    • _strlen.LIBCMT ref: 03E3C461
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,03E35E49,00000000,?,00000001,?,00000000,00000003,03E3C4A3,000000FC,03E3B5DC,03F5FD88,0000000C,03E3B697), ref: 03E3C46B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                    • API String ID: 1879448924-4022980321
                                                                    • Opcode ID: 1e462cfbb2ea8bd7ab15dec1c53841f22cf730c9add4986f6eee3e74abeab669
                                                                    • Instruction ID: 68e1389c366e8844aec774c5e2bc1dc334d54b56602ae5346eaeef1fc096e29a
                                                                    • Opcode Fuzzy Hash: 1e462cfbb2ea8bd7ab15dec1c53841f22cf730c9add4986f6eee3e74abeab669
                                                                    • Instruction Fuzzy Hash: 153159B6A003183BE920F2359C8DF7F725C9B17255F282725FD5AB5082EB52D951C1F2
                                                                    Function 03E3DBB4 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,03E397FF), ref: 03E3DBBA
                                                                    • __mtterm.LIBCMT ref: 03E3DBC6
                                                                      • Part of subcall function 03E3D89F: TlsFree.KERNEL32(03F6A9F8,03E3DD33), ref: 03E3D8CA
                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 03E3DBDC
                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 03E3DBE9
                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03E3DBF6
                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03E3DC03
                                                                    • TlsAlloc.KERNEL32 ref: 03E3DC53
                                                                    • TlsSetValue.KERNEL32(00000000), ref: 03E3DC6E
                                                                    • __init_pointers.LIBCMT ref: 03E3DC78
                                                                    • __calloc_crt.LIBCMT ref: 03E3DCED
                                                                    • GetCurrentThreadId.KERNEL32 ref: 03E3DD1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                    • API String ID: 630932248-3819984048
                                                                    • Opcode ID: 8c5420775276e63ecece8ff2256316cc53ae4b69395705b318ca965b87b5cf69
                                                                    • Instruction ID: 1c7696f97f5a75905a90c31e26dbea71bb8289a8f19030f605b7373a942460c2
                                                                    • Opcode Fuzzy Hash: 8c5420775276e63ecece8ff2256316cc53ae4b69395705b318ca965b87b5cf69
                                                                    • Instruction Fuzzy Hash: 94318074801319DECB20FF79BD1C65B7ABAEB46320B141B2AE43097398DBB19141CB14
                                                                    Function 03ECD0F4 Relevance: 28.9, APIs: 19, Instructions: 423stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
                                                                    • String ID:
                                                                    • API String ID: 4128688680-0
                                                                    • Opcode ID: bce3c60d5916ddc8e2826d9c6f20fef0c60148889362ce46734431f56daee288
                                                                    • Instruction ID: 7dab678b4800e4fdaed72067439059275a8785d79707efe42f84d53db8ee03a3
                                                                    • Opcode Fuzzy Hash: bce3c60d5916ddc8e2826d9c6f20fef0c60148889362ce46734431f56daee288
                                                                    • Instruction Fuzzy Hash: ACF196B0910289DFCF10DFA8CE84AEEBBB5FF05314F145269E841AB290D735AA12CF50
                                                                    Function 03E2790F Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(USER32,?,?,?,03E27A5B), ref: 03E27938
                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 03E27954
                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 03E27965
                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 03E27976
                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 03E27987
                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 03E27998
                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 03E279A9
                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 03E279BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                    • API String ID: 667068680-68207542
                                                                    • Opcode ID: 46a0d8a1385342c80025d9b3a70b278face7084f65817859d856553be8582326
                                                                    • Instruction ID: 1452481bc57aba722665255ba707a2bfc57f88563b46a732cf637c6603ffd343
                                                                    • Opcode Fuzzy Hash: 46a0d8a1385342c80025d9b3a70b278face7084f65817859d856553be8582326
                                                                    • Instruction Fuzzy Hash: C4216D719203689AC722FF36ACD487FBEF4B349584359263FD018D2A29D7B45046CF60
                                                                    Function 03E71B83 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 355registryprocesssynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E71BB0
                                                                    • _memset.LIBCMT ref: 03E71BC9
                                                                    • _memset.LIBCMT ref: 03E71BDD
                                                                    • _memset.LIBCMT ref: 03E71BFF
                                                                    • RegOpenKeyExA.ADVAPI32(80000000,03F48324,00000000,00020019,?), ref: 03E71C35
                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 03E71C62
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E71C73
                                                                      • Part of subcall function 03E77E92: _malloc.LIBCMT ref: 03E77EDC
                                                                      • Part of subcall function 03E77E92: _memset.LIBCMT ref: 03E77EEC
                                                                    • _memset.LIBCMT ref: 03E71EE6
                                                                    • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000010,00000000,00000000,?,?), ref: 03E71F13
                                                                    • WaitForSingleObject.KERNEL32(?,000003E8), ref: 03E71F47
                                                                    • CloseHandle.KERNEL32(?), ref: 03E71F56
                                                                    • CloseHandle.KERNEL32(?), ref: 03E71F5B
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E71F62
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Close$Handle$CreateEnumObjectOpenProcessSingleValueWait_malloc
                                                                    • String ID: (Default)$Opera.exe
                                                                    • API String ID: 3694220491-2188502040
                                                                    • Opcode ID: 86bb6e3652a751a612093f1d312cee8704bf4542a51acaf9b15febb92881ba6e
                                                                    • Instruction ID: 0b42fefed9a1c67a7269401483df88b96ccccda439bf2b6d5613ba0ad8c91461
                                                                    • Opcode Fuzzy Hash: 86bb6e3652a751a612093f1d312cee8704bf4542a51acaf9b15febb92881ba6e
                                                                    • Instruction Fuzzy Hash: D2B1A4B2D1021DAEDF11EBA4CC88DEFBBBDEF09244F0456A5E549E7100E6359B49CB60
                                                                    Function 03ECE7F6 Relevance: 26.0, APIs: 17, Instructions: 452windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
                                                                    • String ID:
                                                                    • API String ID: 656273425-0
                                                                    • Opcode ID: 53710f0dc38d2c475e08e262eda70b0996a1e0a7638ed557f10d079f8bd3e2ef
                                                                    • Instruction ID: 135c145d0b2ccd4063aabfbd658aa66d0f96a808a7e82d149b161985ce3a84c9
                                                                    • Opcode Fuzzy Hash: 53710f0dc38d2c475e08e262eda70b0996a1e0a7638ed557f10d079f8bd3e2ef
                                                                    • Instruction Fuzzy Hash: 38F1A1359202959FDF20EF64CA44AAEFBB5BFC4306F0C626DE855AB150DB30D842CB91
                                                                    Function 03E45662 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,03F79518,03E3C439,03F79518,Microsoft Visual C++ Runtime Library,00012010), ref: 03E4568F
                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 03E456AB
                                                                      • Part of subcall function 03E3D77F: TlsGetValue.KERNEL32(03E3F234,03E3F2B4,03E3F234,00000014,03E3B638,00000000,00000FA0,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80), ref: 03E3D78C
                                                                      • Part of subcall function 03E3D77F: TlsGetValue.KERNEL32(03F6A9F4,?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214), ref: 03E3D7A3
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 03E456C8
                                                                      • Part of subcall function 03E3D77F: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214), ref: 03E3D7B8
                                                                      • Part of subcall function 03E3D77F: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 03E3D7D3
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 03E456DD
                                                                    • __invoke_watson.LIBCMT ref: 03E456FE
                                                                      • Part of subcall function 03E3C74A: _memset.LIBCMT ref: 03E3C7D6
                                                                      • Part of subcall function 03E3C74A: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 03E3C7F4
                                                                      • Part of subcall function 03E3C74A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 03E3C7FE
                                                                      • Part of subcall function 03E3C74A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 03E3C808
                                                                      • Part of subcall function 03E3C74A: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 03E3C823
                                                                      • Part of subcall function 03E3C74A: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 03E3C82A
                                                                      • Part of subcall function 03E3D7F6: TlsGetValue.KERNEL32(?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D803
                                                                      • Part of subcall function 03E3D7F6: TlsGetValue.KERNEL32(03F6A9F4,?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D81A
                                                                      • Part of subcall function 03E3D7F6: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D82F
                                                                      • Part of subcall function 03E3D7F6: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 03E3D84A
                                                                    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 03E45712
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 03E4572A
                                                                    • __invoke_watson.LIBCMT ref: 03E4579D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                    • API String ID: 2940365033-232180764
                                                                    • Opcode ID: 0c5ea90871ba11f2669364e1e421d6aaa702217ceb30d9e33fa2780b43262d61
                                                                    • Instruction ID: a875eecff82028d015cfaf910d3c04a156e410aa9f0cca154b2f7b2696bae9a8
                                                                    • Opcode Fuzzy Hash: 0c5ea90871ba11f2669364e1e421d6aaa702217ceb30d9e33fa2780b43262d61
                                                                    • Instruction Fuzzy Hash: B2416475905309EFCF20EFB5ED899AFBBB9BF1A214B14263AE410E6180DB749541CB60
                                                                    Function 0047BEBF Relevance: 24.3, APIs: 16, Instructions: 310COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__ltoa_sprintf$_xtoa@16
                                                                    • String ID:
                                                                    • API String ID: 1021092728-0
                                                                    • Opcode ID: e9139544f4e15a9d4317bbd45eaadee21988d8fc6524ab9122dc8ab3913692f5
                                                                    • Instruction ID: 0f32ebd11b75858ed8ffb2ae6e4a9d6767b2607055a81a4a83c19e691b1ba648
                                                                    • Opcode Fuzzy Hash: e9139544f4e15a9d4317bbd45eaadee21988d8fc6524ab9122dc8ab3913692f5
                                                                    • Instruction Fuzzy Hash: BDA1D67190416CBEEB11DF658C89EEA77ACDF09304F4045E6F949E7102DA399F88CBA4
                                                                    Function 03E737AF Relevance: 24.3, APIs: 16, Instructions: 310COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__ltoa_sprintf$ChangeCloseFindNotification_xtoa@16
                                                                    • String ID:
                                                                    • API String ID: 3796705407-0
                                                                    • Opcode ID: 75fe7049d16ebbb93f8d7403555ce27578deb63032f8277eeba6f72c4b055b81
                                                                    • Instruction ID: 503e8aa8c26edd6a365c1d8713be010050cbbcf1c1d8a04a22e88cfbbb9731c0
                                                                    • Opcode Fuzzy Hash: 75fe7049d16ebbb93f8d7403555ce27578deb63032f8277eeba6f72c4b055b81
                                                                    • Instruction Fuzzy Hash: 8FA1D6B694025CAEDB11DB648C88EEB7BBDDF06304F4452D1E949E7101EA319B8CDBA1
                                                                    Function 03E168F0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Can't load module '%s', xrefs: 03E16975
                                                                    • Can't find '%s' function in module '%s', xrefs: 03E16A19
                                                                    • Internal Error #102, xrefs: 03E16A2D
                                                                    • Internal Error #101, xrefs: 03E16989
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_mallocwsprintf$CriticalEnterSection
                                                                    • String ID: Can't find '%s' function in module '%s'$Can't load module '%s'$Internal Error #101$Internal Error #102
                                                                    • API String ID: 507683209-748516161
                                                                    • Opcode ID: 77f8a179c224d20c9a25443b632e73d12d0fbb42b13e7798b9d04612b938c008
                                                                    • Instruction ID: 12c768f6590d9f032c176e9596aa1c3241c44278becbf6ba0331404709e8a1ae
                                                                    • Opcode Fuzzy Hash: 77f8a179c224d20c9a25443b632e73d12d0fbb42b13e7798b9d04612b938c008
                                                                    • Instruction Fuzzy Hash: 374133B5E00208EFCB00EFA4D985EAEB7B4FF49304F1096A8D901AB344D735AE55CB91
                                                                    Function 03E31732 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 102registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E31752
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,0000005C), ref: 03E3177C
                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 03E3178D
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E317C3
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E317CB
                                                                    • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 03E317DF
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E31803
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31809
                                                                    • GetModuleFileNameA.KERNEL32(03E10DB0,00000000,00000105), ref: 03E3184A
                                                                    • GetVersion.KERNEL32 ref: 03E3185F
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 03E31884
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 03E318A9
                                                                    • _sscanf.LIBCMT ref: 03E318C9
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E318FE
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31904
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E31913
                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 03E31923
                                                                    • EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,03E31015,?), ref: 03E3193E
                                                                    • ConvertDefaultLocale.KERNEL32(?), ref: 03E3196F
                                                                    • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31975
                                                                    • _memset.LIBCMT ref: 03E3198F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
                                                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$p,t
                                                                    • API String ID: 434808117-3172222599
                                                                    • Opcode ID: b3d4ae84c27f433d5d772a5cc0598f34851a7ffb66d617b264bebc1e882b337e
                                                                    • Instruction ID: 53b42bf01b014bb349df70b750c56764c2dca7f5d1e32d210370cb96d357d841
                                                                    • Opcode Fuzzy Hash: b3d4ae84c27f433d5d772a5cc0598f34851a7ffb66d617b264bebc1e882b337e
                                                                    • Instruction Fuzzy Hash: 6C315AB0D002689FCB10EFA9AC847FEBBF4EB49204F00062EE554E7240D6788505CB60
                                                                    Function 03E6C9C2 Relevance: 21.2, APIs: 14, Instructions: 151windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetIconInfo.USER32(?,?), ref: 03E6C9D2
                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 03E6CA22
                                                                    • SelectObject.GDI32(?,?), ref: 03E6CA6B
                                                                    • SelectObject.GDI32(?,?), ref: 03E6CA76
                                                                    • GetPixel.GDI32(00000000,00000000,03E6D30E), ref: 03E6CA9F
                                                                    • SetPixel.GDI32(?,00000000,03E6D30E,00000000), ref: 03E6CB03
                                                                    • SelectObject.GDI32(?,?), ref: 03E6CB25
                                                                    • SelectObject.GDI32(?,?), ref: 03E6CB2D
                                                                    • CreateIconIndirect.USER32(?), ref: 03E6CB40
                                                                    • DeleteObject.GDI32(?), ref: 03E6CB4B
                                                                    • DeleteObject.GDI32(?), ref: 03E6CB5A
                                                                    • DeleteObject.GDI32(?), ref: 03E6CB5F
                                                                    • DeleteDC.GDI32(?), ref: 03E6CB6A
                                                                    • DeleteDC.GDI32(?), ref: 03E6CB6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Delete$Select$IconPixel$CreateIndirectInfo
                                                                    • String ID:
                                                                    • API String ID: 3201106610-0
                                                                    • Opcode ID: 9fa6f9dffb1a654d07bd6a29e3f7031e52f68af00a30e0b6299042b1e25e129b
                                                                    • Instruction ID: c24518bdc6f960f5d1a1aa005b88c5516082141f9b69925a70497bab900aeb5d
                                                                    • Opcode Fuzzy Hash: 9fa6f9dffb1a654d07bd6a29e3f7031e52f68af00a30e0b6299042b1e25e129b
                                                                    • Instruction Fuzzy Hash: FA513771D41218ABCF10EFA5EC44AEEBFB9FF08391F24422AE915B2214D7319A50DF60
                                                                    Function 03E6D0FC Relevance: 21.1, APIs: 14, Instructions: 134windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetIconInfo.USER32(?,?), ref: 03E6D10F
                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 03E6D15F
                                                                    • SelectObject.GDI32(03E6D31A,?), ref: 03E6D1A8
                                                                    • SelectObject.GDI32(?,?), ref: 03E6D1B3
                                                                    • GetPixel.GDI32(03E6D31A,00000000,?), ref: 03E6D1D3
                                                                    • SetPixel.GDI32(?,00000000,?,00000000), ref: 03E6D1FD
                                                                    • SelectObject.GDI32(03E6D31A,?), ref: 03E6D216
                                                                    • SelectObject.GDI32(?,?), ref: 03E6D21E
                                                                    • CreateIconIndirect.USER32(?), ref: 03E6D231
                                                                    • DeleteObject.GDI32(?), ref: 03E6D23C
                                                                    • DeleteObject.GDI32(?), ref: 03E6D24B
                                                                    • DeleteObject.GDI32(?), ref: 03E6D250
                                                                    • DeleteDC.GDI32(03E6D31A), ref: 03E6D25B
                                                                    • DeleteDC.GDI32(?), ref: 03E6D260
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Delete$Select$IconPixel$CreateIndirectInfo
                                                                    • String ID:
                                                                    • API String ID: 3201106610-0
                                                                    • Opcode ID: 63ae378c8a1dd9a5324792a5cc7ca387f0cec0f119fa9d975f9e456cd527adf3
                                                                    • Instruction ID: 9443a1fbf4e4121e78af8af1ba4dcb0286050fa540d9e7b9c6d16befcc46a7d1
                                                                    • Opcode Fuzzy Hash: 63ae378c8a1dd9a5324792a5cc7ca387f0cec0f119fa9d975f9e456cd527adf3
                                                                    • Instruction Fuzzy Hash: D1411575E40229AFCF11AFA6DD449EEBFB9FF08390F14512AE905B2210D7719A50DFA0
                                                                    Function 03E78CA4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 131libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E78CB6
                                                                    • LoadLibraryA.KERNEL32(03F48B34), ref: 03E78CD6
                                                                    • GetProcAddress.KERNEL32(00000000,03F48A58), ref: 03E78CF4
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 03E78CFD
                                                                    • _memset.LIBCMT ref: 03E78D1C
                                                                    • LoadLibraryA.KERNEL32(03F48B34), ref: 03E78D3C
                                                                    • GetProcAddress.KERNEL32(00000000,03F48A58), ref: 03E78D53
                                                                    • _memset.LIBCMT ref: 03E78D66
                                                                    • FreeLibrary.KERNEL32(?), ref: 03E78D9F
                                                                    • _strncmp.LIBCMT ref: 03E78DB3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Library$_memset$AddressFreeLoadProc$_strncmp
                                                                    • String ID: * $3
                                                                    • API String ID: 3603720283-2457549580
                                                                    • Opcode ID: 63c22756563adeabc35f7aebb93dbc6263a8a59a7ee0a28c4c7092588a7707bc
                                                                    • Instruction ID: 91323a9c1748509dcb1454dc3622bb4131befd817f247ad8ca9650f2f50333f7
                                                                    • Opcode Fuzzy Hash: 63c22756563adeabc35f7aebb93dbc6263a8a59a7ee0a28c4c7092588a7707bc
                                                                    • Instruction Fuzzy Hash: BE415E72C042AC7EDF11D7E49C197EEBFB8BF15308F180189D9506A285DBB45208C762
                                                                    Function 03E86DC0 Relevance: 21.1, APIs: 14, Instructions: 130registrywindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F4,?,?,?,?,03E86F49,03F49AF0,03F4AF0C,00000150,03F4AEF4,03E91D72,03F4AEF4,00000150,03F4AF0C), ref: 03E86DD2
                                                                    • GetFileType.KERNEL32(00000000), ref: 03E86DDD
                                                                    • _vfprintf.LIBCMT ref: 03E86DF4
                                                                      • Part of subcall function 03E39580: _vfprintf_helper.LIBCMT ref: 03E39593
                                                                    • __vsnprintf.LIBCMT ref: 03E86E1D
                                                                    • GetVersion.KERNEL32 ref: 03E86E29
                                                                    • GetDesktopWindow.USER32 ref: 03E86E3A
                                                                    • GetProcessWindowStation.USER32 ref: 03E86E40
                                                                    • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 03E86E57
                                                                    • GetLastError.KERNEL32 ref: 03E86E61
                                                                    • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 03E86E97
                                                                    • RegisterEventSourceA.ADVAPI32(00000000,03F49AE8), ref: 03E86ECD
                                                                    • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 03E86EF1
                                                                    • DeregisterEventSource.ADVAPI32(00000000), ref: 03E86EF8
                                                                    • MessageBoxA.USER32(00000000,?,03F49AD8,00000010), ref: 03E86F1B
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Event$InformationObjectSourceUserWindow$DeregisterDesktopErrorFileHandleLastMessageProcessRegisterReportStationTypeVersion__vsnprintf_vfprintf_vfprintf_helper
                                                                    • String ID:
                                                                    • API String ID: 2156873039-0
                                                                    • Opcode ID: 57736f9940913f88a4427377dfc79af53c923a34e94325e3c079744a7a69a8c0
                                                                    • Instruction ID: 6a933d194683defb54e46e9d8c394c0e358e511c1203e923df178e642888ece1
                                                                    • Opcode Fuzzy Hash: 57736f9940913f88a4427377dfc79af53c923a34e94325e3c079744a7a69a8c0
                                                                    • Instruction Fuzzy Hash: 0441E671A01218EBDB20EF95ED4AFDF7779EF40715F140295FA08D6080D7B09A54C7A1
                                                                    Function 03E8B5C3 Relevance: 21.1, APIs: 14, Instructions: 129registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(0000000F), ref: 03E8B5D5
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 03E8B5DC
                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 03E8B5ED
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E8B603
                                                                    • RegisterClassExA.USER32(?), ref: 03E8B626
                                                                    • CreateWindowExA.USER32(00040001,03F4A86C,03F4A85C,80C00000,00000064,00000064,0000012C,000000A0,00000000,00000000,?,00000000), ref: 03E8B652
                                                                    • GetDesktopWindow.USER32 ref: 03E8B672
                                                                    • GetWindowRect.USER32(00000000), ref: 03E8B679
                                                                    • GetWindowRect.USER32(?,?), ref: 03E8B686
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 03E8B6D8
                                                                    • ShowWindow.USER32(?,00000005), ref: 03E8B6E9
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 03E8B6ED
                                                                    • CreateWindowExA.USER32(00000000,03F4A84C,03F4A854,50000000,00000069,0000005A,00000050,0000001E,?,0000040A,00000000), ref: 03E8B710
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 03E8B71E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$HandleModuleRectShow$BrushClassColorCursorDesktopLoadRegisterSolid
                                                                    • String ID:
                                                                    • API String ID: 2003873210-0
                                                                    • Opcode ID: 15a97480f63ceee2e2c25084cf73cb8a03b8547d993a244d22824366407a755d
                                                                    • Instruction ID: 0e171221d13fe251ef1b76cf6956a04b299e10d5abd1d9ccfaab76df3ff5a872
                                                                    • Opcode Fuzzy Hash: 15a97480f63ceee2e2c25084cf73cb8a03b8547d993a244d22824366407a755d
                                                                    • Instruction Fuzzy Hash: 014118B1E01219AFDB10EFA9DD49EAEBFB9EF48700F104219F605B6294D770A911CB60
                                                                    Function 03E6C242 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E2D6AE: SetFocus.USER32(?,03E57335), ref: 03E2D6B7
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 03E6C270
                                                                    • GetWindowRect.USER32(?,?), ref: 03E6C28F
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 03E6C2A9
                                                                    • GetSubMenu.USER32(?,00000000), ref: 03E6C2B2
                                                                    • SendMessageA.USER32(?,?,?,?), ref: 03E6C2D5
                                                                    • TrackPopupMenuEx.USER32(?,00000182,?,?,?,00000000), ref: 03E6C2F0
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 03E6C305
                                                                    • PostMessageA.USER32(?,00000111,?,00000000), ref: 03E6C31D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$Invalidate$MenuMessage$FocusPopupPostSendTrackWindow
                                                                    • String ID: open
                                                                    • API String ID: 4157106553-2758837156
                                                                    • Opcode ID: 64d848f82250e9912b9c378b7ec3815530f3e4607a756dd9b8dbe85d396e1ae3
                                                                    • Instruction ID: 1766b6373b77818650a96c3cc204ddd11eb114ff0ff4c14b8a0c1821848132df
                                                                    • Opcode Fuzzy Hash: 64d848f82250e9912b9c378b7ec3815530f3e4607a756dd9b8dbe85d396e1ae3
                                                                    • Instruction Fuzzy Hash: 85316DB1901718EFDB21AFA1ED84AAFBBBDFF48344F100629E686A5150D771AA10DB10
                                                                    Function 03E3B243 Relevance: 19.8, APIs: 13, Instructions: 296COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: d44b62a9d03535986765cc38ae956414ec5c52ebad857522865e727b19236a2f
                                                                    • Instruction ID: 2524f2448473e17df9fec05f2a972a7a281630aae224a5fba7be5015ce11f062
                                                                    • Opcode Fuzzy Hash: d44b62a9d03535986765cc38ae956414ec5c52ebad857522865e727b19236a2f
                                                                    • Instruction Fuzzy Hash: 2C813975B00706ABDB24EF69CC849AEF3F9EF86710B18572EE416D6290F7709900CB51
                                                                    Function 00495614 Relevance: 19.8, APIs: 13, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_malloc
                                                                    • String ID:
                                                                    • API String ID: 3506388080-0
                                                                    • Opcode ID: bddbc062a87e44932de352fb515641e1b72b064b8e22f5261253bd02813ccb6f
                                                                    • Instruction ID: fc7b13011b42fbd18a26b5a306b2b16df1f8583b00ba3b35c12ac5293457ad6a
                                                                    • Opcode Fuzzy Hash: bddbc062a87e44932de352fb515641e1b72b064b8e22f5261253bd02813ccb6f
                                                                    • Instruction Fuzzy Hash: 79915D71C01509EFDF11EFA6CC869EEBBB5EF08358F20046AF414A2251D7395E619B68
                                                                    Function 03E8CF04 Relevance: 19.8, APIs: 13, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E8CF41
                                                                    • _malloc.LIBCMT ref: 03E8CF5E
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _memset.LIBCMT ref: 03E8CFBE
                                                                    • _memset.LIBCMT ref: 03E8CFD4
                                                                    • _memset.LIBCMT ref: 03E8CFDE
                                                                    • _memset.LIBCMT ref: 03E8CFEC
                                                                      • Part of subcall function 03E7F770: _malloc.LIBCMT ref: 03E7F795
                                                                    • _malloc.LIBCMT ref: 03E8D020
                                                                    • _memset.LIBCMT ref: 03E8D05A
                                                                    • _memset.LIBCMT ref: 03E8D10D
                                                                    • _memset.LIBCMT ref: 03E8D138
                                                                    • _malloc.LIBCMT ref: 03E8CF93
                                                                      • Part of subcall function 03E35E59: __lock.LIBCMT ref: 03E35E77
                                                                      • Part of subcall function 03E35E59: ___sbh_find_block.LIBCMT ref: 03E35E82
                                                                      • Part of subcall function 03E35E59: ___sbh_free_block.LIBCMT ref: 03E35E91
                                                                      • Part of subcall function 03E35E59: RtlFreeHeap.NTDLL(00000000,03E11FC4,03F5FB40,0000000C,03E3B65F,00000000,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80,0000000C), ref: 03E35EC1
                                                                      • Part of subcall function 03E35E59: GetLastError.KERNEL32(?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214,?,00000000), ref: 03E35ED2
                                                                    • _memset.LIBCMT ref: 03E8D184
                                                                    • _memset.LIBCMT ref: 03E8D190
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_malloc$Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock
                                                                    • String ID:
                                                                    • API String ID: 2674552236-0
                                                                    • Opcode ID: b5e582b706036d247fcf5a210d904d2d987fb6ab001aa32014d67b22e3e68456
                                                                    • Instruction ID: af69cba9eb6fc05b5099c0c99e8729a28d3f15370fccf53e26978a4ced62841c
                                                                    • Opcode Fuzzy Hash: b5e582b706036d247fcf5a210d904d2d987fb6ab001aa32014d67b22e3e68456
                                                                    • Instruction Fuzzy Hash: 2D914B75C00209AFDF01EFA4CC859EFBBBAFF06254B141659F818B6290DB319D51DBA4
                                                                    Function 03E6C623 Relevance: 19.7, APIs: 13, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Select$Delete$Color$FillRect
                                                                    • String ID:
                                                                    • API String ID: 2082109796-0
                                                                    • Opcode ID: 313b8e747fae6b5f1bc623d132d55b88e25f4e29590d12469d06409f9b22ade5
                                                                    • Instruction ID: 51bdd51d88f54d54ef81ff286fd1fb65abbcc38fd455e69ae2372e00842486a5
                                                                    • Opcode Fuzzy Hash: 313b8e747fae6b5f1bc623d132d55b88e25f4e29590d12469d06409f9b22ade5
                                                                    • Instruction Fuzzy Hash: 9471F975800209EFDF119FA1DC49CEEBFB6FF08384B148529F919A6160C7329961EF90
                                                                    Function 0049114F Relevance: 18.4, APIs: 12, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_malloc
                                                                    • String ID:
                                                                    • API String ID: 3506388080-0
                                                                    • Opcode ID: 471efa565547102a27f2788b3fea336c064a25d6c2fb24fb76b579d6d9bcd3c6
                                                                    • Instruction ID: b551f6e3db6ba3998b860e28cd4716f7cdaf5e7608ff8d16c79f4c9caad16336
                                                                    • Opcode Fuzzy Hash: 471efa565547102a27f2788b3fea336c064a25d6c2fb24fb76b579d6d9bcd3c6
                                                                    • Instruction Fuzzy Hash: 26C1AF72C0010ABEDF11EFA58C49DEF7FB9EF08314F50096AF544A7261D6399A189B68
                                                                    Function 03E7E956 Relevance: 18.2, APIs: 12, Instructions: 175registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E7E970
                                                                    • _memset.LIBCMT ref: 03E7E97F
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F483EC,00000000,00000001,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7E9A8
                                                                    • RegQueryValueExA.ADVAPI32(?,03F483E0,00000000,?,?,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7E9CE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7E9FD
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F483EC,00000000,00000101,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EA16
                                                                    • RegQueryValueExA.ADVAPI32(?,03F483E0,00000000,?,?,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EA38
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EA45
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F483B4,00000000,00000001,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EA5B
                                                                    • RegQueryValueExA.ADVAPI32(?,03F483E0,00000000,?,?,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EA8D
                                                                    • RegQueryValueExA.ADVAPI32(?,03F483A8,00000000,?,?,?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EABE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,03E741D5,03E741B9,00000000), ref: 03E7EB06
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue$CloseOpen$_memset
                                                                    • String ID:
                                                                    • API String ID: 2277749028-0
                                                                    • Opcode ID: e9a1765b6bab9bba9c46f2759357ae41ef1b631dcc5679be4833c7b7f2e83efe
                                                                    • Instruction ID: 8764e9acef0040f7e67107574f993e300aa43a9a9d924a7d595fd37d770dc145
                                                                    • Opcode Fuzzy Hash: e9a1765b6bab9bba9c46f2759357ae41ef1b631dcc5679be4833c7b7f2e83efe
                                                                    • Instruction Fuzzy Hash: 01518C7250130DAEEF21DFA4DD84DEE7FBDAF45284F1402A6F909D6110E670D949CBA0
                                                                    Function 03E60CFE Relevance: 18.1, APIs: 12, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_malloc_memset_strncpy$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1278523313-0
                                                                    • Opcode ID: 4c09c8942ae4550f6bc3e182096f3ec2228c6773381941d1d6f60ed21e58532b
                                                                    • Instruction ID: edb15e2413862fe84ecce6fbbab2e49665b45e598a4703c49c37f732e70f7dea
                                                                    • Opcode Fuzzy Hash: 4c09c8942ae4550f6bc3e182096f3ec2228c6773381941d1d6f60ed21e58532b
                                                                    • Instruction Fuzzy Hash: 94418A75804319EFCF11EF60CD889AEBBB9EF09358B14666DF9599A210C731AD50CB50
                                                                    Function 03E5437B Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3__strlen_strncmp
                                                                    • String ID: unregistered
                                                                    • API String ID: 3014153459-1844053155
                                                                    • Opcode ID: 6a3767399ae368a2681da74edf89f3e58cdbf8072d99296484a4144d46526e5e
                                                                    • Instruction ID: 24567d5de5fc0a4df9c3d372954f7b08e8e7e3dbce5d2dec1240c97b858a95ef
                                                                    • Opcode Fuzzy Hash: 6a3767399ae368a2681da74edf89f3e58cdbf8072d99296484a4144d46526e5e
                                                                    • Instruction Fuzzy Hash: 2371A3B694135C7ADB21E7648C54FEE73BD9F48600F002295E609EB280DF749F858F65
                                                                    Function 03E87490 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 227COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E874EB
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _memset.LIBCMT ref: 03E87505
                                                                    • _malloc.LIBCMT ref: 03E87593
                                                                    • _memset.LIBCMT ref: 03E875B6
                                                                    • _malloc.LIBCMT ref: 03E875F8
                                                                    • _memset.LIBCMT ref: 03E8760F
                                                                      • Part of subcall function 03E88931: _malloc.LIBCMT ref: 03E8895C
                                                                      • Part of subcall function 03E77E58: _memset.LIBCMT ref: 03E77E7B
                                                                    • _malloc.LIBCMT ref: 03E87648
                                                                    • _memset.LIBCMT ref: 03E8765F
                                                                      • Part of subcall function 03E8B0A6: _memset.LIBCMT ref: 03E8B0BE
                                                                      • Part of subcall function 03E8AF3E: _memset.LIBCMT ref: 03E8AF5B
                                                                      • Part of subcall function 03E8AF3E: _malloc.LIBCMT ref: 03E8AF89
                                                                      • Part of subcall function 03E8AF3E: _malloc.LIBCMT ref: 03E8AF9E
                                                                      • Part of subcall function 03E8AF3E: _sprintf.LIBCMT ref: 03E8AFC4
                                                                      • Part of subcall function 03E8AF3E: _sprintf.LIBCMT ref: 03E8AFD4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc_memset$_sprintf$AllocateHeap
                                                                    • String ID: ActivationData$ResultCode
                                                                    • API String ID: 2299194431-933770878
                                                                    • Opcode ID: b51b27238704b17c850172c0e6407e635a697bbc2a3298077f788b95b9da497f
                                                                    • Instruction ID: 8b1bb8445ee9dd66901784870a6b752981a01667771a4dec002beef7852d50af
                                                                    • Opcode Fuzzy Hash: b51b27238704b17c850172c0e6407e635a697bbc2a3298077f788b95b9da497f
                                                                    • Instruction Fuzzy Hash: C0715B76D4020DBACF12EFE18C05DEFBFB9EF49244F141266F619B5160E7718A50AB90
                                                                    Function 03E78557 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset_sprintf$AddressLibraryLoadProc_strncpy
                                                                    • String ID: 3
                                                                    • API String ID: 826074087-1842515611
                                                                    • Opcode ID: 1951e44e446522bc2d1e2a4c69638269f38ce2601c949f2d634aa08262443cbe
                                                                    • Instruction ID: 4bc5aad23b227374ac05f1cca4b10aff28b0c9a2863b0a1441cd11d13e9ce58e
                                                                    • Opcode Fuzzy Hash: 1951e44e446522bc2d1e2a4c69638269f38ce2601c949f2d634aa08262443cbe
                                                                    • Instruction Fuzzy Hash: 0B512871D002996ECF11CBE49C49BEEBBFCAF56244F1452A1E985EB241E678C708CB61
                                                                    Function 03E2F498 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E2F49F
                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 03E2F4BA
                                                                    • GetSystemMetrics.USER32(00000032), ref: 03E2F4D9
                                                                    • GetSystemMetrics.USER32(00000031), ref: 03E2F4E2
                                                                    • _memset.LIBCMT ref: 03E2F504
                                                                    • GetMenuItemInfoA.USER32 ref: 03E2F52C
                                                                    • GetMenuItemInfoA.USER32(?,?,00000000,?), ref: 03E2F553
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 03E2F5B8
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 03E2F5C1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object_memset
                                                                    • String ID: @
                                                                    • API String ID: 3341327673-2766056989
                                                                    • Opcode ID: b8d68d8be7a7eaa420bd542f5274328123aa5d501fc52f3d855ab88487aefd85
                                                                    • Instruction ID: 2a5d697c039eb807a1707ce1b010674ec4dd234fe37361398e56f1994b9e7593
                                                                    • Opcode Fuzzy Hash: b8d68d8be7a7eaa420bd542f5274328123aa5d501fc52f3d855ab88487aefd85
                                                                    • Instruction Fuzzy Hash: EA416175900219AFDF00EFA4DC95FEDBBB4BF08314F145215EA16AB281DB70AA45CBA4
                                                                    Function 03E3102B Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32,00000020,?,00000000,03E319BB,000000FF), ref: 03E3104D
                                                                    • GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 03E3106B
                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 03E31078
                                                                    • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 03E31085
                                                                    • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 03E31092
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                    • API String ID: 667068680-3617302793
                                                                    • Opcode ID: 2d928f55fd6dd6bd93a3de7e0da6eb16f819fda647c76d3f684d4001fa0998ff
                                                                    • Instruction ID: 59a69e320c33dada190c37b511c95a46f4deba944e9388ed94710e2fbfd2889a
                                                                    • Opcode Fuzzy Hash: 2d928f55fd6dd6bd93a3de7e0da6eb16f819fda647c76d3f684d4001fa0998ff
                                                                    • Instruction Fuzzy Hash: 1211CE7198439CABCF60FF66ACA87ABBABCAA06A19308673FE10482044D3F04045CE45
                                                                    Function 03E893F4 Relevance: 16.9, APIs: 11, Instructions: 429memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ltoa.LIBCMT ref: 03E8941D
                                                                      • Part of subcall function 03E36853: _xtoa@16.LIBCMT ref: 03E3686E
                                                                    • GlobalAlloc.KERNEL32(00000040,00004000,00000000,?), ref: 03E8948B
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E894A3
                                                                    • GlobalAlloc.KERNEL32(00000040,00002800), ref: 03E894AF
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E894B9
                                                                    • _sprintf.LIBCMT ref: 03E8977F
                                                                    • _sprintf.LIBCMT ref: 03E897AB
                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 03E89819
                                                                    • GlobalFree.KERNEL32(00008000), ref: 03E8981E
                                                                    • GlobalUnWire.KERNEL32(00000000), ref: 03E89825
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E8982A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFreeWire_sprintf$__ltoa_xtoa@16
                                                                    • String ID:
                                                                    • API String ID: 414982454-0
                                                                    • Opcode ID: b5280841be7ddc1f4ef40d53be6d3faf431e1b9288a15269691332cc7b9f5fd4
                                                                    • Instruction ID: 1d8f07aef7e471678d6cf8ff0f44f8abfdc886f10d137c3b3d1e80f97ff4dd24
                                                                    • Opcode Fuzzy Hash: b5280841be7ddc1f4ef40d53be6d3faf431e1b9288a15269691332cc7b9f5fd4
                                                                    • Instruction Fuzzy Hash: E5D1AF75E40205AEDF11EF688C99EFB3F6DDF41604F085294F85C9B212EB3AD609C6A0
                                                                    Function 03E68C4F Relevance: 16.7, APIs: 11, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetRect.USER32(?,00000000,?,00000000,?), ref: 03E68CB5
                                                                      • Part of subcall function 03E3242C: SetBkColor.GDI32(?,?), ref: 03E3244D
                                                                      • Part of subcall function 03E3242C: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 03E32461
                                                                    • SetRect.USER32(?,?,00000000,?,00000000), ref: 03E68DC0
                                                                    • GetSystemMetrics.USER32(00000005), ref: 03E68E82
                                                                    • CreatePen.GDI32(00000006,00000000), ref: 03E68E8D
                                                                    • SelectObject.GDI32(?,?), ref: 03E68EAE
                                                                    • GetStockObject.GDI32(00000005), ref: 03E68EC4
                                                                    • SelectObject.GDI32(?,00000000), ref: 03E68ECE
                                                                    • Rectangle.GDI32(?,00000000,00000000,?,?), ref: 03E68EF0
                                                                    • SelectObject.GDI32(?,?), ref: 03E68F05
                                                                    • SelectObject.GDI32(?,?), ref: 03E68F12
                                                                    • DeleteObject.GDI32(?), ref: 03E68F17
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Select$Rect$ColorCreateDeleteMetricsRectangleStockSystemText
                                                                    • String ID:
                                                                    • API String ID: 3756530280-0
                                                                    • Opcode ID: bb64be2951827c04f33c0e92b5116575222544c27176063cb2e21298a8fa76ab
                                                                    • Instruction ID: b119d4fcd07aa5dae50f6e1b024cd54839782221953c5c1bcb6345e5460a5d77
                                                                    • Opcode Fuzzy Hash: bb64be2951827c04f33c0e92b5116575222544c27176063cb2e21298a8fa76ab
                                                                    • Instruction Fuzzy Hash: 55A18171E0020AEFCF04DFA5D9945EEBFB4FF08350F11856AE595A6211D7309A90DFA0
                                                                    Function 03E8C984 Relevance: 16.7, APIs: 11, Instructions: 169networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WS2_32(00000101,?), ref: 03E8CA18
                                                                    • inet_addr.WS2_32(?), ref: 03E8CA39
                                                                    • inet_addr.WS2_32(?), ref: 03E8CA48
                                                                    • htons.WS2_32(00000000), ref: 03E8CA51
                                                                    • gethostbyname.WS2_32(?), ref: 03E8CA72
                                                                    • WSACleanup.WS2_32 ref: 03E8CA7B
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 03E8CAAD
                                                                    • WSACleanup.WS2_32 ref: 03E8CABB
                                                                    • connect.WS2_32(00000000,00000002,00000010), ref: 03E8CACE
                                                                    • shutdown.WS2_32(00000000,00000002), ref: 03E8CB34
                                                                    • closesocket.WS2_32(00000000), ref: 03E8CB3A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Cleanupinet_addr$Startupclosesocketconnectgethostbynamehtonsshutdownsocket
                                                                    • String ID:
                                                                    • API String ID: 3434075542-0
                                                                    • Opcode ID: 40f655fac8d7c0ac3a136eb482b061500727998111596aa06fb4de8e68bcc75e
                                                                    • Instruction ID: def780cb5d53fa7dfd9217edecb13cb5f98e381ead6a4fee78e9e7f236186a2b
                                                                    • Opcode Fuzzy Hash: 40f655fac8d7c0ac3a136eb482b061500727998111596aa06fb4de8e68bcc75e
                                                                    • Instruction Fuzzy Hash: 1551E435D40319AEEB11FBA4CC05BEEB3BC9F06315F245692E64DEA180E6709A4587B1
                                                                    Function 03E35600 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 03E35607
                                                                    • FindResourceA.KERNEL32(?,?,00000005), ref: 03E3563A
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 03E35642
                                                                    • LockResource.KERNEL32(?,00000024), ref: 03E35653
                                                                    • GetDesktopWindow.USER32 ref: 03E35686
                                                                    • IsWindowEnabled.USER32(?), ref: 03E35694
                                                                    • EnableWindow.USER32(?,00000000), ref: 03E356A3
                                                                      • Part of subcall function 03E2D672: IsWindowEnabled.USER32(?), ref: 03E2D67B
                                                                      • Part of subcall function 03E2D68D: EnableWindow.USER32(?,?), ref: 03E2D69A
                                                                    • EnableWindow.USER32(?,00000001), ref: 03E35787
                                                                    • GetActiveWindow.USER32 ref: 03E35792
                                                                    • SetActiveWindow.USER32(?,?,00000024), ref: 03E357A0
                                                                    • FreeResource.KERNEL32(?,?,00000024), ref: 03E357BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
                                                                    • String ID:
                                                                    • API String ID: 1509511306-0
                                                                    • Opcode ID: 03a290611cfd18de348814541ab643172c9d39aafbf9acccca2658190494621e
                                                                    • Instruction ID: 2cddbece2de271321b5aa7732f675dbb30368a5821d97ee26de779bd5c1d0a8c
                                                                    • Opcode Fuzzy Hash: 03a290611cfd18de348814541ab643172c9d39aafbf9acccca2658190494621e
                                                                    • Instruction Fuzzy Hash: 9C519E34A00719CFCB21EFA5C988ABEFBB1BF46705F182229E512AA2D0CB715941CF55
                                                                    Function 03E54B54 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 316COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3
                                                                    • String ID: &ProdOption=$DNFTP$DNHTP$GOURL
                                                                    • API String ID: 2144794740-1347108656
                                                                    • Opcode ID: ee15eedf757a033d0c714eaa85f9f78641f12962d3d774e3ff6e92fc937232e3
                                                                    • Instruction ID: 903a1b2c00e9f265ca48566bbfa7b0f246bc517994df1a206391ebaee7790dbf
                                                                    • Opcode Fuzzy Hash: ee15eedf757a033d0c714eaa85f9f78641f12962d3d774e3ff6e92fc937232e3
                                                                    • Instruction Fuzzy Hash: 3AA150B524024C7EDB25EF64CC90FEE72ADAF48604F506629FA09DF180DF749B068B65
                                                                    Function 03E7D7A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 178libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E788D1: GetVersionExA.KERNEL32(?,03E741B9), ref: 03E788F3
                                                                    • LoadLibraryA.KERNEL32(03F48B54,?,Microsoft Virtual Machine Bus,00000000), ref: 03E7D7CA
                                                                    • GetProcAddress.KERNEL32(00000000,03F48B44), ref: 03E7D7E4
                                                                    • FreeLibrary.KERNEL32(?,?,Microsoft Virtual Machine Bus,00000000), ref: 03E7D7F6
                                                                    Strings
                                                                    • Microsoft Virtual Machine Bus, xrefs: 03E7D7A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProcVersion
                                                                    • String ID: Microsoft Virtual Machine Bus
                                                                    • API String ID: 493525861-555804341
                                                                    • Opcode ID: dc37645c84eb6192d5c996d9ba04cb8a063ec3ae2ef400e09dc3e2342efff258
                                                                    • Instruction ID: 87b94f4ce74518939c8a1e6ce51033b82ada6412dd05a98dab60cab471cc98e6
                                                                    • Opcode Fuzzy Hash: dc37645c84eb6192d5c996d9ba04cb8a063ec3ae2ef400e09dc3e2342efff258
                                                                    • Instruction Fuzzy Hash: 325124B18047846DFF31EB349C51BFBBEB95F4231CF0827AED2EA52241E6A05089C752
                                                                    Function 03E7691D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 155registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E76943
                                                                    • _memset.LIBCMT ref: 03E7695B
                                                                    • _memset.LIBCMT ref: 03E76970
                                                                    • _memset.LIBCMT ref: 03E76985
                                                                    • RegOpenKeyExA.ADVAPI32(03EDDBF0,00000000,00000000,000F003F,00000038), ref: 03E76A95
                                                                    • RegDeleteValueA.ADVAPI32(00000038,00000000), ref: 03E76AB0
                                                                    • RegCloseKey.ADVAPI32(00000038), ref: 03E76AC4
                                                                    • _sprintf.LIBCMT ref: 03E76AE3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseDeleteOpenValue_sprintf
                                                                    • String ID: software\classes\vdsp
                                                                    • API String ID: 3829872320-3218571349
                                                                    • Opcode ID: 3b9675fd0e56c408b621f7c265162703198f00ad42eed4d1b0e3af23d1c985fe
                                                                    • Instruction ID: c8cb52f1d5dc897f63e98bc564f6303f86b68a22af526a13627055a81d8a9fd9
                                                                    • Opcode Fuzzy Hash: 3b9675fd0e56c408b621f7c265162703198f00ad42eed4d1b0e3af23d1c985fe
                                                                    • Instruction Fuzzy Hash: D251167190065CAACF21CF68DC48BEEBBFCAF15308F1891E5E949E6181D6708B45CF61
                                                                    Function 03E8BE72 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E8B7D6: LoadLibraryA.KERNEL32(03F4A9E0,00004000,00000000,03E8C4BD,00000001,00004000), ref: 03E8B807
                                                                    • CreateThread.KERNEL32(00000000,00000000,03E8B1A3,?,00000000,?), ref: 03E8BEF8
                                                                    • WaitForSingleObject.KERNEL32(00000000,00004E20), ref: 03E8BF07
                                                                    • TerminateThread.KERNEL32(00000000,00000000), ref: 03E8BF18
                                                                    • CloseHandle.KERNEL32(?), ref: 03E8BF21
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CloseCreateHandleLibraryLoadObjectSingleTerminateWait
                                                                    • String ID: .
                                                                    • API String ID: 1170726710-3974621797
                                                                    • Opcode ID: 093ba75a2e4b7ce0bce2cc18a2005fffa6abe294914640385785b0c16e10e63c
                                                                    • Instruction ID: 1530a4b2cbc8fb5d331e4ecf50226675270359777ae8422b5ee36b331c02e3e4
                                                                    • Opcode Fuzzy Hash: 093ba75a2e4b7ce0bce2cc18a2005fffa6abe294914640385785b0c16e10e63c
                                                                    • Instruction Fuzzy Hash: D2419272904309FFEB10BFA5DC89AAB7BA9EF04354F20551AF50EEA150DA7099508B20
                                                                    Function 03E79247 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 95libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Library$AddressFreeLoadProc_strncmp
                                                                    • String ID: * $3
                                                                    • API String ID: 2582739758-2457549580
                                                                    • Opcode ID: f76a085b571d3dcb72d4d328f8212f4a9c9f5247a291ed7aea75cc30262aa0de
                                                                    • Instruction ID: 36818219f1387b7dfcb100cbe860ef88f65f2f2fc232d90d370cdd764812172a
                                                                    • Opcode Fuzzy Hash: f76a085b571d3dcb72d4d328f8212f4a9c9f5247a291ed7aea75cc30262aa0de
                                                                    • Instruction Fuzzy Hash: 7F31F571D0029CAADF11EBE59C08BCEBFBC9F05309F144195E964BB282D7745606CF91
                                                                    Function 03E2BDF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 03E2BDFF
                                                                    • GetPropA.USER32(?,AfxOldWndProc423), ref: 03E2BE0E
                                                                    • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 03E2BE68
                                                                      • Part of subcall function 03E2AA39: GetWindowRect.USER32(?,10000000), ref: 03E2AA61
                                                                      • Part of subcall function 03E2AA39: GetWindow.USER32(?,00000004), ref: 03E2AA7E
                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 03E2BE8F
                                                                    • RemovePropA.USER32(?,AfxOldWndProc423), ref: 03E2BE97
                                                                    • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 03E2BE9E
                                                                    • GlobalDeleteAtom.KERNEL32(00000000), ref: 03E2BEA5
                                                                      • Part of subcall function 03E28CD2: GetWindowRect.USER32(?,00000360), ref: 03E28CDE
                                                                    • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 03E2BEF9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
                                                                    • String ID: AfxOldWndProc423
                                                                    • API String ID: 2702501687-1060338832
                                                                    • Opcode ID: 8a1358875b1116e28566a3a2aab6897abb6755eedc66c40ec2ebb0f982117620
                                                                    • Instruction ID: 4a4526538bc7c6f0560311ebda7248d77b4a96eb9ed6a4c60cfadd938eea39a9
                                                                    • Opcode Fuzzy Hash: 8a1358875b1116e28566a3a2aab6897abb6755eedc66c40ec2ebb0f982117620
                                                                    • Instruction Fuzzy Hash: 51313A3680122AABCB06EFA5DD49EBF7F79EF49311F041618FA01AA150CB749921DB61
                                                                    Function 03E3D8DC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,03F5FF08,0000000C,03E3D9ED,00000000,00000000,?,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000), ref: 03E3D8ED
                                                                    • GetProcAddress.KERNEL32(?,EncodePointer), ref: 03E3D921
                                                                    • GetProcAddress.KERNEL32(?,DecodePointer), ref: 03E3D931
                                                                    • InterlockedIncrement.KERNEL32(03F6AAF8), ref: 03E3D953
                                                                    • __lock.LIBCMT ref: 03E3D95B
                                                                    • ___addlocaleref.LIBCMT ref: 03E3D97A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                                                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                    • API String ID: 1036688887-2843748187
                                                                    • Opcode ID: dd100b8d138004895e7ad6bb5a367b9deb010cfb00c79b4d0955673d200a01b5
                                                                    • Instruction ID: 94e0885b76e0243a2cafa5300fed5f4a9113be4e9f46a121b0968b8c928b252d
                                                                    • Opcode Fuzzy Hash: dd100b8d138004895e7ad6bb5a367b9deb010cfb00c79b4d0955673d200a01b5
                                                                    • Instruction Fuzzy Hash: 00114FB4940705EEDB20EF7ADC09B6FBBE4EF05304F009A19E8A697251CBB49940CF10
                                                                    Function 00494A3A Relevance: 15.4, APIs: 10, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf$_memset
                                                                    • String ID:
                                                                    • API String ID: 2003622500-0
                                                                    • Opcode ID: 3a995ad322595001e16d07b88226fd02636db68de022c17fdfa73b1b4d8b16c1
                                                                    • Instruction ID: 58460153b175d524c792055a65e5b8ee9cf19fec377fc76232280f984923b031
                                                                    • Opcode Fuzzy Hash: 3a995ad322595001e16d07b88226fd02636db68de022c17fdfa73b1b4d8b16c1
                                                                    • Instruction Fuzzy Hash: 5EF19371900209AFEF209F60CC89EEFBBB9FF84305F14446AF55AA6150D739AE45CB58
                                                                    Function 0045FECB Relevance: 15.3, APIs: 10, Instructions: 302COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: 525753072e2288c2d7813d9815151a809b996c44bffa3f659db3084148dd9820
                                                                    • Instruction ID: 0dce5b82a90baff7d45493d01b312650a817fd3d00242d87f955e5bb4e339d16
                                                                    • Opcode Fuzzy Hash: 525753072e2288c2d7813d9815151a809b996c44bffa3f659db3084148dd9820
                                                                    • Instruction Fuzzy Hash: A1B15D712001169FDF08CF18C9D5AAF3762FF46348B10891AF9568B386D734E9A5CBDA
                                                                    Function 03E577BB Relevance: 15.3, APIs: 10, Instructions: 302COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: b99c6d3336d8a2de2fffb49ef813bec36dcc10a5feaebef43d46fe411e8f7c9b
                                                                    • Instruction ID: 2616664667b513c7042a215b8690ff9164926d32be2e96dbb3b76f07dfc5c52e
                                                                    • Opcode Fuzzy Hash: b99c6d3336d8a2de2fffb49ef813bec36dcc10a5feaebef43d46fe411e8f7c9b
                                                                    • Instruction Fuzzy Hash: 56B1047060011AAFDF08CF2CC9D49AE7B66FF44304B549A18F9568B386D730E9A1CBE5
                                                                    Function 00443953 Relevance: 15.3, APIs: 10, Instructions: 296COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: d44b62a9d03535986765cc38ae956414ec5c52ebad857522865e727b19236a2f
                                                                    • Instruction ID: fada750d8a0f700c6732676d826f912fd23c5fca2eb873c6cef93e27fed82e28
                                                                    • Opcode Fuzzy Hash: d44b62a9d03535986765cc38ae956414ec5c52ebad857522865e727b19236a2f
                                                                    • Instruction Fuzzy Hash: 0F81F9B1B006049BFB24DF6ACC81A6FB3F9EF54B15B14452FF015D6382E778AA008B59
                                                                    Function 0049534C Relevance: 15.3, APIs: 10, Instructions: 280COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_malloc
                                                                    • String ID:
                                                                    • API String ID: 3506388080-0
                                                                    • Opcode ID: 03e3453c322fa8c06f39ef5f8a58ffb1fa29bba3bc07f5da61cc2484fc992245
                                                                    • Instruction ID: a1bea351c84829f6846cd3fea7a9df84e285e35c6ff789df2ef469bc3544567e
                                                                    • Opcode Fuzzy Hash: 03e3453c322fa8c06f39ef5f8a58ffb1fa29bba3bc07f5da61cc2484fc992245
                                                                    • Instruction Fuzzy Hash: 5991A031C0451ABFCF129FA5CC45AEFBFB2EF08354F24446AF800A7252D7398A159B98
                                                                    Function 03E8CC3C Relevance: 15.3, APIs: 10, Instructions: 280COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E8CC80
                                                                    • _memset.LIBCMT ref: 03E8CC9C
                                                                    • _malloc.LIBCMT ref: 03E8CCC2
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _memset.LIBCMT ref: 03E8CCE1
                                                                    • _malloc.LIBCMT ref: 03E8CD36
                                                                    • _memset.LIBCMT ref: 03E8CD64
                                                                    • _memset.LIBCMT ref: 03E8CE69
                                                                    • _memset.LIBCMT ref: 03E8CE97
                                                                      • Part of subcall function 03E35E59: __lock.LIBCMT ref: 03E35E77
                                                                      • Part of subcall function 03E35E59: ___sbh_find_block.LIBCMT ref: 03E35E82
                                                                      • Part of subcall function 03E35E59: ___sbh_free_block.LIBCMT ref: 03E35E91
                                                                      • Part of subcall function 03E35E59: RtlFreeHeap.NTDLL(00000000,03E11FC4,03F5FB40,0000000C,03E3B65F,00000000,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80,0000000C), ref: 03E35EC1
                                                                      • Part of subcall function 03E35E59: GetLastError.KERNEL32(?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214,?,00000000), ref: 03E35ED2
                                                                    • _memset.LIBCMT ref: 03E8CED8
                                                                    • _memset.LIBCMT ref: 03E8CEEF
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_malloc$Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock
                                                                    • String ID:
                                                                    • API String ID: 2674552236-0
                                                                    • Opcode ID: e28a0d5567a145eb39e5c684fb5cc7d01639fe6447195a4463e38766d4ec5321
                                                                    • Instruction ID: 3d2a430c3d90c3def8809e4091c115f1079dc570e0864f5d75fcdbd6ade81969
                                                                    • Opcode Fuzzy Hash: e28a0d5567a145eb39e5c684fb5cc7d01639fe6447195a4463e38766d4ec5321
                                                                    • Instruction Fuzzy Hash: 62918D75D0021AEBCF11EFA48C48AFEBFB6EF0A704F245255E91DB7250D6319A15CBA0
                                                                    Function 03EC08FF Relevance: 15.2, APIs: 10, Instructions: 184timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                                                                    • String ID:
                                                                    • API String ID: 2135910768-0
                                                                    • Opcode ID: fb46651e8029a521e0aee6fecc58a8c047d8cc5b3fef604081db1f96b1fe50ee
                                                                    • Instruction ID: 612fb80ea0cccbf0bd71279cb8ca917e9ee676abffdf3f250a51e7a0cfe59413
                                                                    • Opcode Fuzzy Hash: fb46651e8029a521e0aee6fecc58a8c047d8cc5b3fef604081db1f96b1fe50ee
                                                                    • Instruction Fuzzy Hash: 3651AF31A20285DFDF25DBA4CA88ABEF7B9BF44314F181B6DE546E6240C734ED568B10
                                                                    Function 0046940E Relevance: 15.1, APIs: 10, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_malloc_memset_strncpy
                                                                    • String ID:
                                                                    • API String ID: 3814236086-0
                                                                    • Opcode ID: c24e0d9cf41b4013493369be34e751bfb3984a63df2872b2ee4c291022bde742
                                                                    • Instruction ID: 6015a4b6e02f533453f3f05379876edc97e49c8d5ea9500edb79b816adce7d71
                                                                    • Opcode Fuzzy Hash: c24e0d9cf41b4013493369be34e751bfb3984a63df2872b2ee4c291022bde742
                                                                    • Instruction Fuzzy Hash: 3F41FF71800209FFCF11AF65CC81DAB7BB9FF08318F10886EF94A96261E679AD41DB55
                                                                    Function 03E7EDF9 Relevance: 15.1, APIs: 10, Instructions: 86threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 03E7EE0F
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE16
                                                                    • GetLastError.KERNEL32(?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE26
                                                                    • GetCurrentProcess.KERNEL32(00000008,03E74201,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE39
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE40
                                                                    • GetTokenInformation.ADVAPI32(03E74201,00000002,00000000,00000000,03E741D5,03E741B9,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE5C
                                                                    • GetLastError.KERNEL32(?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE62
                                                                    • _malloc.LIBCMT ref: 03E7EE6C
                                                                    • GetTokenInformation.ADVAPI32(03E74201,00000002,00000000,03E741D5,03E741D5,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EE81
                                                                    • CloseHandle.KERNEL32(03E74201,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EEAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Token$CurrentErrorInformationLastOpenProcessThread$CloseHandle_malloc
                                                                    • String ID:
                                                                    • API String ID: 3753376967-0
                                                                    • Opcode ID: 13e5b415ea13b2b7dc72ab2f6aad354d47e9df34d117d6c7b67e9d4cabc9c39d
                                                                    • Instruction ID: d4857c9c1825dbe3c5757c37496a77d4f24a392ce815d0419efdb3a563f94186
                                                                    • Opcode Fuzzy Hash: 13e5b415ea13b2b7dc72ab2f6aad354d47e9df34d117d6c7b67e9d4cabc9c39d
                                                                    • Instruction Fuzzy Hash: 22218E72510208FEEB10EBA5EC89EBF7ABDEB85244F141AA9F501E2044D6319E11DB60
                                                                    Function 03E6766A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3H_prolog3__strlen
                                                                    • String ID: .asmx
                                                                    • API String ID: 2299023779-3816017139
                                                                    • Opcode ID: 3505923d854e625dccbaa6d196912ab2dfd9e665956a5a6afa3bc279fbb3e75f
                                                                    • Instruction ID: f2b95f495d833afd684abe41b5233280b768e99a60dc99c5a643f1afc61268a3
                                                                    • Opcode Fuzzy Hash: 3505923d854e625dccbaa6d196912ab2dfd9e665956a5a6afa3bc279fbb3e75f
                                                                    • Instruction Fuzzy Hash: BF8160B5A0024CAEDF51EF94DC90EEF77BDAB09244F401229F509EB280DF349A05CBA5
                                                                    Function 03E7D240 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E7D252
                                                                    • LoadLibraryA.KERNEL32(03F48B34,?,?,03E741B9), ref: 03E7D272
                                                                    • GetProcAddress.KERNEL32(00000000,03F48A58), ref: 03E7D28C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,03E741B9), ref: 03E7D29A
                                                                    • _memset.LIBCMT ref: 03E7D2CA
                                                                    • _memset.LIBCMT ref: 03E7D2F4
                                                                    • _strncmp.LIBCMT ref: 03E7D32E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Library$AddressFreeLoadProc_strncmp
                                                                    • String ID: *
                                                                    • API String ID: 2582739758-1826279079
                                                                    • Opcode ID: 898dbae358ab60cd32380d110ce69b3f2d3fed94d3debea2380e0ad8b44c1435
                                                                    • Instruction ID: affa9705a294837bbf4297b87b29e928cf0d2e163d65725a0e4937269c4f3e4a
                                                                    • Opcode Fuzzy Hash: 898dbae358ab60cd32380d110ce69b3f2d3fed94d3debea2380e0ad8b44c1435
                                                                    • Instruction Fuzzy Hash: C9410A72C052CDBFDB21DBA4AC54BDFBFB85F06208F1C15C5E984A7242DA709249C7A1
                                                                    Function 03E8C000 Relevance: 13.8, APIs: 9, Instructions: 275memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E8B7D6: LoadLibraryA.KERNEL32(03F4A9E0,00004000,00000000,03E8C4BD,00000001,00004000), ref: 03E8B807
                                                                    • GetLastError.KERNEL32 ref: 03E8C07A
                                                                    • GetLastError.KERNEL32 ref: 03E8C0F5
                                                                    • GetDesktopWindow.USER32 ref: 03E8C1E7
                                                                    • GlobalAlloc.KERNEL32(00000040,000088B9), ref: 03E8C257
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E8C268
                                                                    • GlobalFree.KERNEL32(00000000), ref: 03E8C276
                                                                    • GetLastError.KERNEL32 ref: 03E8C2DE
                                                                    • GetLastError.KERNEL32 ref: 03E8C2E0
                                                                    • GetLastError.KERNEL32 ref: 03E8C31F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$Global$AllocDesktopFreeLibraryLoadWindow
                                                                    • String ID:
                                                                    • API String ID: 3964952039-0
                                                                    • Opcode ID: 1771d26d9305106614db6bebb9b1eae6c8debf7399e39dc1c67f9783e48795fe
                                                                    • Instruction ID: 6916c4803d4f333a58fecc9a856a19f24f488f96476fc3a20ec1511ce4919489
                                                                    • Opcode Fuzzy Hash: 1771d26d9305106614db6bebb9b1eae6c8debf7399e39dc1c67f9783e48795fe
                                                                    • Instruction Fuzzy Hash: 5CA15DB1901A09AFDB20EFA5DC88BEBBBBCFF45355F244529F55EE6090D73499408B20
                                                                    Function 03E7D5A1 Relevance: 13.7, APIs: 9, Instructions: 186libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(03F48B54,00000000), ref: 03E7D5DC
                                                                      • Part of subcall function 03E7D240: _memset.LIBCMT ref: 03E7D252
                                                                      • Part of subcall function 03E7D240: LoadLibraryA.KERNEL32(03F48B34,?,?,03E741B9), ref: 03E7D272
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$_memset
                                                                    • String ID:
                                                                    • API String ID: 240438931-0
                                                                    • Opcode ID: 9a6401c2396130af467e82e5d7a9992a2a010ea29b973b7f93d662d8598f5e95
                                                                    • Instruction ID: b80be5d41949ef020bc47e0c6cce122a941771cfbf0c460110d666b97b4c1c12
                                                                    • Opcode Fuzzy Hash: 9a6401c2396130af467e82e5d7a9992a2a010ea29b973b7f93d662d8598f5e95
                                                                    • Instruction Fuzzy Hash: 5A51C275900218FFCB31EFA59C84DEFBBB8FF08348F1896A9E55AE7110D23099518B50
                                                                    Function 03EC8A42 Relevance: 13.6, APIs: 9, Instructions: 142windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E2F188: GetFocus.USER32 ref: 03E2F189
                                                                      • Part of subcall function 03E2F188: GetParent.USER32(00000000), ref: 03E2F1B2
                                                                      • Part of subcall function 03E2F188: GetWindowLongA.USER32(?,000000F0), ref: 03E2F1CD
                                                                      • Part of subcall function 03E2F188: GetParent.USER32(?), ref: 03E2F1DB
                                                                      • Part of subcall function 03E2F188: GetDesktopWindow.USER32 ref: 03E2F1DF
                                                                      • Part of subcall function 03E2F188: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 03E2F1F3
                                                                    • GetMenu.USER32(?), ref: 03EC8AB5
                                                                    • GetMenu.USER32(?), ref: 03EC8AC9
                                                                    • GetMenuItemCount.USER32(00000000), ref: 03EC8AD2
                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 03EC8AE3
                                                                    • GetMenuItemCount.USER32(?), ref: 03EC8B05
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 03EC8B26
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 03EC8B4E
                                                                    • GetMenuItemCount.USER32(?), ref: 03EC8B85
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 03EC8BA0
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
                                                                    • String ID:
                                                                    • API String ID: 4186786570-0
                                                                    • Opcode ID: 2efdb58cf8f66aa51dfa469a1b698c2d55136a0b90d2cf0ea9193c674054b846
                                                                    • Instruction ID: 198c33153b360540021d9349e59de25a9947706e7dc087de2d1674d73cfc4b6f
                                                                    • Opcode Fuzzy Hash: 2efdb58cf8f66aa51dfa469a1b698c2d55136a0b90d2cf0ea9193c674054b846
                                                                    • Instruction Fuzzy Hash: 37518EB9910259AFCB11EF65CF80AAEBBB5FF48314F1466ADE421A6150D730ED52CF20
                                                                    Function 00455EC3 Relevance: 13.6, APIs: 9, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __ltoa$_strlen$_memset_xtoa@16
                                                                    • String ID:
                                                                    • API String ID: 3124776419-0
                                                                    • Opcode ID: 4c0b0e980befb147ecd6ff612703c71a02bf7577bace2144fa510f72d2dbb560
                                                                    • Instruction ID: 2c58ac53e2219fb1ae0bb22dc2eac2549431817c8b4f3af65168e639197bcd85
                                                                    • Opcode Fuzzy Hash: 4c0b0e980befb147ecd6ff612703c71a02bf7577bace2144fa510f72d2dbb560
                                                                    • Instruction Fuzzy Hash: A541B961601604ABDB14EA298CD2FBE77ACBB5470DF44043EF90AD61C3DE6C5D0C8756
                                                                    Function 03E4D7B3 Relevance: 13.6, APIs: 9, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __ltoa$_strlen$_memset_xtoa@16
                                                                    • String ID:
                                                                    • API String ID: 3124776419-0
                                                                    • Opcode ID: 1e0e107b8ed62768c19c6013f7f0df78446fcaebc79deb7d96e0f19d78dfcd92
                                                                    • Instruction ID: acc3a4c6aa13668417209003b46fb1c38229492467a917ff86c3349f9cd2c183
                                                                    • Opcode Fuzzy Hash: 1e0e107b8ed62768c19c6013f7f0df78446fcaebc79deb7d96e0f19d78dfcd92
                                                                    • Instruction Fuzzy Hash: 21416575B003046BDB10EA749C81FBFB7ADFB5D704F44253DE50AEA182EE65A9088B61
                                                                    Function 03E6033C Relevance: 13.6, APIs: 9, Instructions: 118fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E5FC4E: _strlen.LIBCMT ref: 03E5FC8F
                                                                      • Part of subcall function 03E5FC4E: _strlen.LIBCMT ref: 03E5FCB1
                                                                      • Part of subcall function 03E5FC4E: _strlen.LIBCMT ref: 03E5FCBB
                                                                      • Part of subcall function 03E5FC4E: _strlen.LIBCMT ref: 03E5FCE8
                                                                      • Part of subcall function 03E5FC4E: _strlen.LIBCMT ref: 03E5FCF4
                                                                    • _malloc.LIBCMT ref: 03E60372
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _strlen.LIBCMT ref: 03E603AA
                                                                    • _strlen.LIBCMT ref: 03E603BD
                                                                    • SetFilePointer.KERNEL32(8964F44D,00000000,00000000,00000000,?,?,03E66972,03E6697E,?,?,?,00000000), ref: 03E603E1
                                                                    • SetEndOfFile.KERNEL32(8964F44D,?,?,03E66972,03E6697E,?,?,?,00000000), ref: 03E603EA
                                                                    • _strlen.LIBCMT ref: 03E603F1
                                                                    • WriteFile.KERNEL32(8964F44D,03E66A8A,00000004,03E6697E,00000000,?,?,03E66972,03E6697E,?,?,?,00000000), ref: 03E60413
                                                                    • _strlen.LIBCMT ref: 03E6041E
                                                                    • WriteFile.KERNEL32(8964F44D,00000000,03E66972,00000040,00000000,?,?,03E66972,03E6697E,?,?,?,00000000), ref: 03E60452
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$File$Write$AllocateHeapPointer_malloc
                                                                    • String ID:
                                                                    • API String ID: 3341484474-0
                                                                    • Opcode ID: d8b633d265d6428cc02c349c4eb7fb5f246573c63c87a68e2fe9b33924fe03c4
                                                                    • Instruction ID: ab73ed7b0f4df777b802d3de71b034676c9a0d2eab572ad75c1dd5148542383b
                                                                    • Opcode Fuzzy Hash: d8b633d265d6428cc02c349c4eb7fb5f246573c63c87a68e2fe9b33924fe03c4
                                                                    • Instruction Fuzzy Hash: 9F31AD7284022DBBDF11EFA4EC84DEF7B7CEB45259F005666F910A6140E2309E208B61
                                                                    Function 03E89836 Relevance: 13.6, APIs: 9, Instructions: 100sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock_malloc_memset$Sleep__fsopen_fseek_ftell_strncat
                                                                    • String ID:
                                                                    • API String ID: 3889882214-0
                                                                    • Opcode ID: 6044104ca98e42f4f6e509641e22ed0b83cec408fa070af6507efa10ed6cd0a1
                                                                    • Instruction ID: ce06ee81fca767d69d042bca03d376126f4719dca51b7cd78ad7c81d419da058
                                                                    • Opcode Fuzzy Hash: 6044104ca98e42f4f6e509641e22ed0b83cec408fa070af6507efa10ed6cd0a1
                                                                    • Instruction Fuzzy Hash: 7D214E3A940301BFDB12FF749C44F7B77A9DF42744F141A29F958AA192EB72C4119714
                                                                    Function 03E8995D Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItemTextA.USER32(?,000003FF,03F7AD7C,0000000F), ref: 03E8999D
                                                                    • GetDlgItemTextA.USER32(?,000003FE,?,0000000F), ref: 03E899B1
                                                                    • EndDialog.USER32(?,00000000), ref: 03E899B8
                                                                    • GetDesktopWindow.USER32 ref: 03E899DF
                                                                    • GetWindowRect.USER32(00000000), ref: 03E899E6
                                                                    • GetWindowRect.USER32(?,?), ref: 03E899F4
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 03E89A43
                                                                    • GetDlgItem.USER32(?,000003FF), ref: 03E89A51
                                                                    • SetFocus.USER32(00000000), ref: 03E89A58
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$RectText$DesktopDialogFocus
                                                                    • String ID:
                                                                    • API String ID: 550918993-0
                                                                    • Opcode ID: e54b1f3b4bef7004c2159ea1059e462fc92335331ca3794fa9948a9d6d91d9e0
                                                                    • Instruction ID: 09e78a1901a69d8f354256a176ee5c3d7b174408e556beee90f2556661d72722
                                                                    • Opcode Fuzzy Hash: e54b1f3b4bef7004c2159ea1059e462fc92335331ca3794fa9948a9d6d91d9e0
                                                                    • Instruction Fuzzy Hash: 86315E72A0011AAFCF05EFB9DD49AEE7BB9EF48340F044224B909E7299D770E9118B50
                                                                    Function 03E245F8 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 03E245FF
                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 03E24610
                                                                    • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,03E2521A,03E237EB,03E27284,?,03E25C95,00000004,03E31AB7,00000004,03E5604C,00000000), ref: 03E2462E
                                                                    • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,03E2521A,03E237EB,03E27284,?,03E25C95,00000004,03E31AB7), ref: 03E24662
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E246CE
                                                                    • _memset.LIBCMT ref: 03E246ED
                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 03E246FE
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E2471F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                                                                    • String ID:
                                                                    • API String ID: 1891723912-0
                                                                    • Opcode ID: f562f3a7c559760d6928cba072995cd100e29246ccbdb86ed09702dd7898d56c
                                                                    • Instruction ID: add007ec40e3936167a522cf021604a83151543a3fe7442287a7440294dec1d4
                                                                    • Opcode Fuzzy Hash: f562f3a7c559760d6928cba072995cd100e29246ccbdb86ed09702dd7898d56c
                                                                    • Instruction Fuzzy Hash: BB3185B5500A29EFCB20EF12DC84D6ABFB9FF01310B10E729E5569B694CB70A951CF90
                                                                    Function 03E6D27A Relevance: 13.6, APIs: 9, Instructions: 90windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E6C013: DestroyCursor.USER32(?), ref: 03E6C02F
                                                                      • Part of subcall function 03E6C013: DestroyCursor.USER32(?), ref: 03E6C03C
                                                                      • Part of subcall function 03E6C013: DeleteObject.GDI32(?), ref: 03E6C04F
                                                                      • Part of subcall function 03E6C013: DeleteObject.GDI32(?), ref: 03E6C05C
                                                                      • Part of subcall function 03E6C013: DeleteObject.GDI32(?), ref: 03E6C069
                                                                      • Part of subcall function 03E6C013: DeleteObject.GDI32(?), ref: 03E6C076
                                                                      • Part of subcall function 03E6C013: _memset.LIBCMT ref: 03E6C084
                                                                      • Part of subcall function 03E6C013: _memset.LIBCMT ref: 03E6C094
                                                                    • _memset.LIBCMT ref: 03E6D2A5
                                                                    • GetIconInfo.USER32(03E5E57F,00000000), ref: 03E6D2B2
                                                                    • DeleteObject.GDI32(03E5E57F), ref: 03E6D2EC
                                                                    • DeleteObject.GDI32(?), ref: 03E6D2F1
                                                                    • _memset.LIBCMT ref: 03E6D32A
                                                                    • GetIconInfo.USER32(00000000,00000000), ref: 03E6D337
                                                                    • DeleteObject.GDI32(03E5E57F), ref: 03E6D35E
                                                                    • DeleteObject.GDI32(?), ref: 03E6D363
                                                                    • InvalidateRect.USER32(03E5E57F,00000000,00000001,00000001,00000000,?,00000001), ref: 03E6D36C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteObject$_memset$CursorDestroyIconInfo$InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 1019801581-0
                                                                    • Opcode ID: 962a63e3170f200669fd323b811d81c1a2d94ac711a693882d59a4e0f98824cd
                                                                    • Instruction ID: 18ef4681ca54cbca25bffcc824cc701c2461b6b09c1577baa23297188041a4b8
                                                                    • Opcode Fuzzy Hash: 962a63e3170f200669fd323b811d81c1a2d94ac711a693882d59a4e0f98824cd
                                                                    • Instruction Fuzzy Hash: D231B131B40708ABCB20EFB5CC49FAFBBF8AF88754F540224E559E6291E771A510CB50
                                                                    Function 00479BA4 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 409COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00480483: _rand.LIBCMT ref: 004804C8
                                                                    • __itoa.LIBCMT ref: 00479F45
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __itoa_rand
                                                                    • String ID: \$\$d$d
                                                                    • API String ID: 764641247-3279824421
                                                                    • Opcode ID: f42ff9dedd17ee57c68b54761dc5391fcd02f1c041456db46a2cfe1810baddba
                                                                    • Instruction ID: 47022e6247bc7d4829654cfb0ab95fa75e4d2d6e935d2e0293d4338996db2284
                                                                    • Opcode Fuzzy Hash: f42ff9dedd17ee57c68b54761dc5391fcd02f1c041456db46a2cfe1810baddba
                                                                    • Instruction Fuzzy Hash: DBE1F37180415DAFCF21DF60CC98EEA77B9EF09304F1484A6E88DE7141E7399E998B94
                                                                    Function 03E77A39 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E778E4: GetModuleHandleA.KERNEL32(03F48958,03F48964,?,?,?,03E74BA2,?,?,?,?,?,?,?,?,[varPassword]), ref: 03E778F3
                                                                      • Part of subcall function 03E778E4: GetProcAddress.KERNEL32(00000000), ref: 03E778FA
                                                                      • Part of subcall function 03E778E4: GetCurrentProcess.KERNEL32(00000000,?,?), ref: 03E7790E
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 03E77B03
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 03E77BA4
                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 03E77BC2
                                                                      • Part of subcall function 03E77925: GetModuleHandleA.KERNEL32(03F48958,03F48974), ref: 03E77938
                                                                      • Part of subcall function 03E77925: GetProcAddress.KERNEL32(00000000), ref: 03E7793F
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 03E77C4B
                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 03E77C69
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 03E77CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile$AddressCurrentDirectoryHandleModuleProc$ProcessSystem
                                                                    • String ID: \
                                                                    • API String ID: 3594036932-2967466578
                                                                    • Opcode ID: eb258bd59bc8b9fd9ce1fbf667192829c32e43694d57655ab9888afbaffc49b7
                                                                    • Instruction ID: baba7d3bfc73c077cbd1966be4a08694ebfdda22ad4e481c1a06880dbea96caa
                                                                    • Opcode Fuzzy Hash: eb258bd59bc8b9fd9ce1fbf667192829c32e43694d57655ab9888afbaffc49b7
                                                                    • Instruction Fuzzy Hash: 6BA1363050865E4BDB16CA3C58687F6BBF6AF56308F2C57E0D8D9D7240DBB199C98B80
                                                                    Function 03E5043C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 221registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E5045B
                                                                      • Part of subcall function 03E4FAB3: _strlen.LIBCMT ref: 03E4FABA
                                                                    • _memset.LIBCMT ref: 03E50597
                                                                    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 03E505BD
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000200), ref: 03E50616
                                                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,000000FF), ref: 03E5064C
                                                                      • Part of subcall function 03E4C8A2: _strlen.LIBCMT ref: 03E4C8A9
                                                                      • Part of subcall function 03E4D1B4: _strlen.LIBCMT ref: 03E4D1BB
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?), ref: 03E505DF
                                                                      • Part of subcall function 03E4C79A: std::_String_base::_Xlen.LIBCPMT ref: 03E4C7AF
                                                                      • Part of subcall function 03E4C79A: char_traits.LIBCPMT ref: 03E4C815
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$Open$CloseH_prolog3QueryString_base::_ValueXlen_memsetchar_traitsstd::_
                                                                    • String ID: :LM:
                                                                    • API String ID: 3382239625-1149852551
                                                                    • Opcode ID: a50a098245e7662812a72355bfa1cd17b63382cd4080ccf10bf8a70eb0ffece1
                                                                    • Instruction ID: 6d3cc714e31eceb38db0d3915287b04a6c71a289034ca1abb88b064145bab31b
                                                                    • Opcode Fuzzy Hash: a50a098245e7662812a72355bfa1cd17b63382cd4080ccf10bf8a70eb0ffece1
                                                                    • Instruction Fuzzy Hash: 00716AB550124CBFEB14EFA4DD94EEE776CEB04314F101229B916AB2C0DBB49E49CB61
                                                                    Function 03E35408 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 03E3540F
                                                                    • GetSystemMetrics.USER32(0000002A), ref: 03E354C0
                                                                    • GlobalFix.KERNEL32(?), ref: 03E35529
                                                                    • CreateDialogIndirectParamA.USER32(?,?,?,03E34E38,00000000), ref: 03E35558
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDialogGlobalH_prolog3_catchIndirectMetricsParamSystem
                                                                    • String ID: MS Shell Dlg
                                                                    • API String ID: 3629235202-76309092
                                                                    • Opcode ID: 36781f15dd76026550532be8761a48327c27f4c2dc1472425eb7516d08b914e9
                                                                    • Instruction ID: 24a00f648e78dd73dc862dc98f2318b534bb43bf38786cb2d90a8110f1e5f11a
                                                                    • Opcode Fuzzy Hash: 36781f15dd76026550532be8761a48327c27f4c2dc1472425eb7516d08b914e9
                                                                    • Instruction Fuzzy Hash: 2751A53190121AEFCF14EFA5C8889EEBBB5BF06315F185369E512AB2D0DB309A54CB51
                                                                    Function 03E7D0BB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F49390,00000000,00020019,?), ref: 03E7D0E8
                                                                    • RegQueryValueExA.ADVAPI32(?,03F49380,00000000,?,?,00000400), ref: 03E7D113
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E7D11E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: \
                                                                    • API String ID: 3677997916-2967466578
                                                                    • Opcode ID: 69b0f58e0fb17e93239160872c06d99dbb6a0e67fbe50542957fb5dcd3c9caf5
                                                                    • Instruction ID: 2e87774839894855b12031a41b34f73acdd68bd5322a67d8861e9408ee037421
                                                                    • Opcode Fuzzy Hash: 69b0f58e0fb17e93239160872c06d99dbb6a0e67fbe50542957fb5dcd3c9caf5
                                                                    • Instruction Fuzzy Hash: 7B41C7B290012CBEDB10DEA49C84AFFBBBDEF05254F1857B5E555E3040D7B09A858B50
                                                                    Function 00490243 Relevance: 12.4, APIs: 8, Instructions: 359COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004952E2: _sprintf.LIBCMT ref: 00495342
                                                                    • _malloc.LIBCMT ref: 0049032D
                                                                    • _memset.LIBCMT ref: 00490354
                                                                    • _malloc.LIBCMT ref: 00490439
                                                                      • Part of subcall function 00491F46: _fseek.LIBCMT ref: 00491F8A
                                                                      • Part of subcall function 00491F46: _ftell.LIBCMT ref: 00491F91
                                                                      • Part of subcall function 00491F46: _malloc.LIBCMT ref: 00491FAA
                                                                      • Part of subcall function 00491F46: _memset.LIBCMT ref: 00491FBA
                                                                      • Part of subcall function 00491F46: __fread_nolock.LIBCMT ref: 00491FC5
                                                                    • _memset.LIBCMT ref: 0049046E
                                                                      • Part of subcall function 0049114F: _malloc.LIBCMT ref: 00491193
                                                                    • _malloc.LIBCMT ref: 004904AD
                                                                    • _memset.LIBCMT ref: 004904C4
                                                                    • _malloc.LIBCMT ref: 004904FD
                                                                    • _memset.LIBCMT ref: 00490517
                                                                      • Part of subcall function 0049364E: _memset.LIBCMT ref: 0049366B
                                                                      • Part of subcall function 0049364E: _malloc.LIBCMT ref: 00493699
                                                                      • Part of subcall function 0049364E: _malloc.LIBCMT ref: 004936AE
                                                                      • Part of subcall function 0049364E: _sprintf.LIBCMT ref: 004936D4
                                                                      • Part of subcall function 0049364E: _sprintf.LIBCMT ref: 004936E4
                                                                      • Part of subcall function 00480568: _memset.LIBCMT ref: 0048058B
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc$_memset$_sprintf$__fread_nolock_fseek_ftell
                                                                    • String ID:
                                                                    • API String ID: 3993168423-0
                                                                    • Opcode ID: 9835c52694cb322dbb886d25300bab4e30761581f03c3c2f5e92ac105dc05f58
                                                                    • Instruction ID: 7de93b674881ce976f293caa014def530264185b39cd26b28f4e99dfcbfa0ef8
                                                                    • Opcode Fuzzy Hash: 9835c52694cb322dbb886d25300bab4e30761581f03c3c2f5e92ac105dc05f58
                                                                    • Instruction Fuzzy Hash: 53C14E72900108BEDF11AFA1DC45DEEBF7AEF08318F10447AFA04B6161E73A8E549B58
                                                                    Function 03E6090E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E6049F: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,03E608A5,00000000,03E66972,03E6697E,00000001,IPStringTable,00000000,?), ref: 03E604BD
                                                                    • _strlen.LIBCMT ref: 03E6094D
                                                                    • WriteFile.KERNEL32(03E60A43,00000080,00000004,00000000,00000000,?,00000000,?,?,?), ref: 03E60984
                                                                    • _strlen.LIBCMT ref: 03E60993
                                                                    • WriteFile.KERNEL32(03E60A43,00000010,?,00000000,00000000,?,00000000,?,?,?), ref: 03E609C7
                                                                    Strings
                                                                    • <IPROOT><IPVersion>3.2.0.0</IPVersion><IPData></IPData><IPLicenseInformation></IPLicenseInformation><IPProductInformation></IPProductInformation><IPDialogData></IPDialogData></IPROOT>, xrefs: 03E60946, 03E6094C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: File$Write_strlen$Create
                                                                    • String ID: <IPROOT><IPVersion>3.2.0.0</IPVersion><IPData></IPData><IPLicenseInformation></IPLicenseInformation><IPProductInformation></IPProductInformation><IPDialogData></IPDialogData></IPROOT>
                                                                    • API String ID: 3913224103-4115378930
                                                                    • Opcode ID: f4bec5d3ac9a753c1b8f23f89f972bc28dba171088745fcff5e2437b827cfad8
                                                                    • Instruction ID: 02cf198105e757c7d89f801d9deed8ee19c40daebc79e445873ccd3a7795f27e
                                                                    • Opcode Fuzzy Hash: f4bec5d3ac9a753c1b8f23f89f972bc28dba171088745fcff5e2437b827cfad8
                                                                    • Instruction Fuzzy Hash: CF21BDB194421DBFEB10EF61DC84FAE7BBDEF44398F105560EA01E6190E2308E10CB60
                                                                    Function 0047EC2E Relevance: 12.3, APIs: 8, Instructions: 328COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_sprintf
                                                                    • String ID:
                                                                    • API String ID: 891462717-0
                                                                    • Opcode ID: 5b6ddb7ee8e6f93359c2b399f4dbd09139677def9874c15d225c5f3eeefcc67a
                                                                    • Instruction ID: d381cec39464754aef8171566459ae7634225b27061956d1ffb1d1a60e92bc03
                                                                    • Opcode Fuzzy Hash: 5b6ddb7ee8e6f93359c2b399f4dbd09139677def9874c15d225c5f3eeefcc67a
                                                                    • Instruction Fuzzy Hash: 42C173B180415DABDF21DFA5CC85EEF7BBCAB08304F1085EAE549E6141D7389B45CB68
                                                                    Function 0048FBA0 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 0048FBFB
                                                                      • Part of subcall function 0043E4A6: __FF_MSGBANNER.LIBCMT ref: 0043E4C9
                                                                    • _memset.LIBCMT ref: 0048FC15
                                                                    • _malloc.LIBCMT ref: 0048FCA3
                                                                    • _memset.LIBCMT ref: 0048FCC6
                                                                      • Part of subcall function 0049114F: _malloc.LIBCMT ref: 00491193
                                                                    • _malloc.LIBCMT ref: 0048FD08
                                                                    • _memset.LIBCMT ref: 0048FD1F
                                                                      • Part of subcall function 00491041: _malloc.LIBCMT ref: 0049106C
                                                                      • Part of subcall function 00480568: _memset.LIBCMT ref: 0048058B
                                                                    • _malloc.LIBCMT ref: 0048FD58
                                                                    • _memset.LIBCMT ref: 0048FD6F
                                                                      • Part of subcall function 004937B6: _memset.LIBCMT ref: 004937CE
                                                                      • Part of subcall function 0049364E: _memset.LIBCMT ref: 0049366B
                                                                      • Part of subcall function 0049364E: _malloc.LIBCMT ref: 00493699
                                                                      • Part of subcall function 0049364E: _malloc.LIBCMT ref: 004936AE
                                                                      • Part of subcall function 0049364E: _sprintf.LIBCMT ref: 004936D4
                                                                      • Part of subcall function 0049364E: _sprintf.LIBCMT ref: 004936E4
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc$_memset$_sprintf
                                                                    • String ID:
                                                                    • API String ID: 3646932963-0
                                                                    • Opcode ID: 7aa1ebe799e76bb88c2beb8d2fd2d22b5d4b5b8b4998a38dbae5f99e019a39de
                                                                    • Instruction ID: 3e944c946e104465830cbc91c7c914ad4b0b5e36b7201cce558b4330b6f83bb2
                                                                    • Opcode Fuzzy Hash: 7aa1ebe799e76bb88c2beb8d2fd2d22b5d4b5b8b4998a38dbae5f99e019a39de
                                                                    • Instruction Fuzzy Hash: 0F715F72D00209BACF11BFD29C46DEFBF79EF58359F10046AFA00B1161D6398A549BA5
                                                                    Function 03E192D1 Relevance: 12.2, APIs: 8, Instructions: 191fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 03E19326
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 03E19345
                                                                    • _malloc.LIBCMT ref: 03E19352
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 03E19367
                                                                    • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 03E1938A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 03E19397
                                                                    • _malloc.LIBCMT ref: 03E193D0
                                                                      • Part of subcall function 03E35E59: __lock.LIBCMT ref: 03E35E77
                                                                      • Part of subcall function 03E35E59: ___sbh_find_block.LIBCMT ref: 03E35E82
                                                                      • Part of subcall function 03E35E59: ___sbh_free_block.LIBCMT ref: 03E35E91
                                                                      • Part of subcall function 03E35E59: RtlFreeHeap.NTDLL(00000000,03E11FC4,03F5FB40,0000000C,03E3B65F,00000000,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80,0000000C), ref: 03E35EC1
                                                                      • Part of subcall function 03E35E59: GetLastError.KERNEL32(?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214,?,00000000), ref: 03E35ED2
                                                                    • _memcmp.LIBCMT ref: 03E19499
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseHandle_malloc$CreateErrorFreeHeapLastReadSize___sbh_find_block___sbh_free_block__lock_memcmp
                                                                    • String ID:
                                                                    • API String ID: 4264607096-0
                                                                    • Opcode ID: ea27369bf80e1fed4dd37989805eca1bd2a2ac98e4f27fafc9849c8547059729
                                                                    • Instruction ID: d2110f0517b2fabd1a4774f57f3b0b35dcba8f617095fb42810e7301f7e3329c
                                                                    • Opcode Fuzzy Hash: ea27369bf80e1fed4dd37989805eca1bd2a2ac98e4f27fafc9849c8547059729
                                                                    • Instruction Fuzzy Hash: F1719EB5D00208EBDF10DFA4DC98BEEB374BF05304F148668E51AAB2C5DB75AA54CB91
                                                                    Function 03E2A67C Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 03E2A6AF
                                                                    • BeginDeferWindowPos.USER32(00000008), ref: 03E2A6C7
                                                                    • GetTopWindow.USER32(?), ref: 03E2A6D9
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 03E2A6E4
                                                                    • SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 03E2A716
                                                                    • GetWindow.USER32(00000000,00000002), ref: 03E2A71F
                                                                    • CopyRect.USER32(?,?), ref: 03E2A73D
                                                                    • EndDeferWindowPos.USER32(00000000), ref: 03E2A7B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
                                                                    • String ID:
                                                                    • API String ID: 1228040700-0
                                                                    • Opcode ID: 2d946ebdbcfe36851886070f5ae688ac64e45838a81d497db00a0b98a91e3b70
                                                                    • Instruction ID: dea30fce683e03de1da3ad158ce3a15d9b90b8e8a6469949074366f7f39b7e03
                                                                    • Opcode Fuzzy Hash: 2d946ebdbcfe36851886070f5ae688ac64e45838a81d497db00a0b98a91e3b70
                                                                    • Instruction Fuzzy Hash: DC41407190062ADFCF10DF95D8848EEBBB9FF48304F18567AE905A7240DB34AA50CFA4
                                                                    Function 03E57226 Relevance: 12.1, APIs: 8, Instructions: 118threadsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000064), ref: 03E5723B
                                                                      • Part of subcall function 03E29CEE: GetWindowRect.USER32(?,?), ref: 03E29D58
                                                                      • Part of subcall function 03E29CEE: GetWindowLongA.USER32(00000000,000000F0), ref: 03E29D6E
                                                                      • Part of subcall function 03E29CEE: CopyRect.USER32(?,?), ref: 03E29DBB
                                                                      • Part of subcall function 03E29CEE: CopyRect.USER32(?,?), ref: 03E29DC5
                                                                      • Part of subcall function 03E2D842: SetWindowPos.USER32(?,?,00000015,000000FF,000000FF,?,?,?,03E29EAA,00000000,?,?,000000FF,000000FF,00000015), ref: 03E2D868
                                                                    • GetCurrentThreadId.KERNEL32 ref: 03E572DA
                                                                    • GetForegroundWindow.USER32(00000000), ref: 03E572E4
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 03E572EB
                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 03E57305
                                                                    • SetForegroundWindow.USER32(?), ref: 03E5730A
                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 03E5731F
                                                                      • Part of subcall function 03E570E0: GetTickCount.KERNEL32 ref: 03E570EC
                                                                      • Part of subcall function 03E570E0: Sleep.KERNEL32(?,?,?,?,?,03E57239), ref: 03E57117
                                                                    • SetForegroundWindow.USER32(?), ref: 03E57328
                                                                      • Part of subcall function 03E2D6AE: SetFocus.USER32(?,03E57335), ref: 03E2D6B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$ForegroundRect$AttachCopyInputSleep$CountCurrentFocusLongProcessTick
                                                                    • String ID:
                                                                    • API String ID: 2116885401-0
                                                                    • Opcode ID: 559a757af1441470c62d32cc184d2e40afa527c3b431df36e5f3664977700cb8
                                                                    • Instruction ID: 90e3ea03309e872a08369add52c12dd3742ce4cd18b5af5d9f381b92022397a9
                                                                    • Opcode Fuzzy Hash: 559a757af1441470c62d32cc184d2e40afa527c3b431df36e5f3664977700cb8
                                                                    • Instruction Fuzzy Hash: DC41A235201224BFCB22AF61DC48FDE7FA6BF49720F085250FE095E1A1CB719860CB90
                                                                    Function 00491F46 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock_malloc_memset$__fsopen_fseek_ftell_strncat
                                                                    • String ID:
                                                                    • API String ID: 1260414688-0
                                                                    • Opcode ID: 9752ceb440b829801636862eaf392528ba4b5282bbee8f05d3a781b4af490141
                                                                    • Instruction ID: 3e931a5c9813adce4881e0438e676e681df0cf1674c9ace628c67129d0e2c98a
                                                                    • Opcode Fuzzy Hash: 9752ceb440b829801636862eaf392528ba4b5282bbee8f05d3a781b4af490141
                                                                    • Instruction Fuzzy Hash: 71210C725443057BEF217F668C82F5B3B99EF54358F20042FFA44962A2DB7ED811561C
                                                                    Function 03E6C013 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteObject$CursorDestroy_memset
                                                                    • String ID:
                                                                    • API String ID: 2159749563-0
                                                                    • Opcode ID: 78b5f9bbf85f940b86d266effc413f9ea057632f101b96bc801e9283c464812d
                                                                    • Instruction ID: 0c013bc68ee8376724849c808947797394b4272b71b7deaafd33436c71d1f5a4
                                                                    • Opcode Fuzzy Hash: 78b5f9bbf85f940b86d266effc413f9ea057632f101b96bc801e9283c464812d
                                                                    • Instruction Fuzzy Hash: 8A01F771741B0467DAB0FA7A8C48F57E3EC5FA0745F291A19B498E3180DEB4F4008A60
                                                                    Function 0046FD7A Relevance: 10.7, APIs: 7, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3H_prolog3__strlen
                                                                    • String ID:
                                                                    • API String ID: 2299023779-0
                                                                    • Opcode ID: 88ee65aa64b51b62e207183428610d2102d45dea6f6898062d9a36de348a53b8
                                                                    • Instruction ID: 5b76154463ff225ffa52baae826e461f065d73a2b8ee0e24f84c9113170ff6f3
                                                                    • Opcode Fuzzy Hash: 88ee65aa64b51b62e207183428610d2102d45dea6f6898062d9a36de348a53b8
                                                                    • Instruction Fuzzy Hash: B78142B160125CAEDB51EF95DC91EEF77ADAB48308F40001EF905E7242DF785A09CBA9
                                                                    Function 03E3F3CE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 220COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __sopen_s
                                                                    • String ID: $UNICODE$UTF-16LE$UTF-8$ccs=
                                                                    • API String ID: 2693426323-1656882147
                                                                    • Opcode ID: dfc541fd3497f3e2e4147a5819ef1651b7b32b2fc6beca0972f6e13617e3d933
                                                                    • Instruction ID: 2948608ed5259a7c88c6194019c4310597a530c56715c879a1f13f4e0ad25c4f
                                                                    • Opcode Fuzzy Hash: dfc541fd3497f3e2e4147a5819ef1651b7b32b2fc6beca0972f6e13617e3d933
                                                                    • Instruction Fuzzy Hash: 8F71D371C08209FEDF24CF69844D6A9BBB4BF07318F58E3AAD85696161D3758A47CF40
                                                                    Function 00480C67 Relevance: 10.7, APIs: 7, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset_sprintf$_strncpy
                                                                    • String ID:
                                                                    • API String ID: 386049301-0
                                                                    • Opcode ID: f943aa2b01f5c7fb1ea3a83dc6c3d0455b197aa4bd3e8b0374753ccd41901739
                                                                    • Instruction ID: 9703abcd09906c6f71fe40af7cb218fd52ec28bfc89f2e32135d55dd4f9f0116
                                                                    • Opcode Fuzzy Hash: f943aa2b01f5c7fb1ea3a83dc6c3d0455b197aa4bd3e8b0374753ccd41901739
                                                                    • Instruction Fuzzy Hash: 8F510571914198AEDB51DFE4CD44BEEBBFCAF49300F0448A6E885EB241D67C9B0C8B65
                                                                    Function 03E4FB1C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E4FB3B
                                                                    • _memset.LIBCMT ref: 03E4FB58
                                                                    • _memset.LIBCMT ref: 03E4FB74
                                                                    • _memset.LIBCMT ref: 03E4FB91
                                                                      • Part of subcall function 03E4FAB3: _strlen.LIBCMT ref: 03E4FABA
                                                                      • Part of subcall function 03E4C79A: std::_String_base::_Xlen.LIBCPMT ref: 03E4C7AF
                                                                      • Part of subcall function 03E4D32A: _strlen.LIBCMT ref: 03E4D331
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strlen$H_prolog3String_base::_Xlenstd::_
                                                                    • String ID: ActivateInstallation$DeactivateInstallation
                                                                    • API String ID: 625651370-3782018730
                                                                    • Opcode ID: 701ad529bf17fb0d837cc7f14f37f1cb2b262db5bc4fc23815425e049945002a
                                                                    • Instruction ID: 3c7ba0aaf6972ae10881f915d20b03f0a97e6c82bad8829e20fc22104e77f233
                                                                    • Opcode Fuzzy Hash: 701ad529bf17fb0d837cc7f14f37f1cb2b262db5bc4fc23815425e049945002a
                                                                    • Instruction Fuzzy Hash: EE5164B590025CAFDF15EF64DC90EEF77ACEF09604F005225F91AAB280DB745B068BA5
                                                                    Function 03E41A21 Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • getSystemCP.LIBCMT ref: 03E41A3A
                                                                      • Part of subcall function 03E419A7: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03E419B4
                                                                      • Part of subcall function 03E419A7: GetOEMCP.KERNEL32(00000000,?,03E4127E,?,00000000,74DEF380), ref: 03E419CE
                                                                    • setSBCS.LIBCMT ref: 03E41A4C
                                                                      • Part of subcall function 03E41724: _memset.LIBCMT ref: 03E41737
                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,03F600D0), ref: 03E41A92
                                                                    • GetCPInfo.KERNEL32(00000000,03E41DA4), ref: 03E41AA5
                                                                    • _memset.LIBCMT ref: 03E41ABD
                                                                    • setSBUpLow.LIBCMT ref: 03E41B90
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                                                    • String ID:
                                                                    • API String ID: 2658552758-0
                                                                    • Opcode ID: eff17ae844e0a8e8092dbd4608640152496c969949d50541f3ad86ac5a035784
                                                                    • Instruction ID: 65ae372be66036ab30b2c1baa7e19900c48b1a174f9f6ebcfc44507567630023
                                                                    • Opcode Fuzzy Hash: eff17ae844e0a8e8092dbd4608640152496c969949d50541f3ad86ac5a035784
                                                                    • Instruction Fuzzy Hash: 9C511670D04255DFCF15DF65E8842BEBBB5EF0D314F08A2AAD8869F242E634D486CB90
                                                                    Function 03E6C84C Relevance: 10.6, APIs: 7, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OffsetRect.USER32(?,?,?), ref: 03E6C879
                                                                    • CopyRect.USER32(?,?), ref: 03E6C880
                                                                    • OffsetRect.USER32(?,?,?), ref: 03E6C8EC
                                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 03E6C906
                                                                    • GetSysColor.USER32(00000014), ref: 03E6C90F
                                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 03E6C932
                                                                    • GetSysColor.USER32(00000010), ref: 03E6C938
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$Offset$Color$Copy
                                                                    • String ID:
                                                                    • API String ID: 4222521089-0
                                                                    • Opcode ID: 80b84bb5e280e56187925199bdd2076463288c43ab3058d1b475ea854d0a471b
                                                                    • Instruction ID: 5177978038cd6721a2d5ef6f88ef6310a744fdd3d2fb6d1686faa318a8728b8c
                                                                    • Opcode Fuzzy Hash: 80b84bb5e280e56187925199bdd2076463288c43ab3058d1b475ea854d0a471b
                                                                    • Instruction Fuzzy Hash: B5517C30600215EFCB10DF68CC88EAEBBB5FF49725F245358F5959B2A1CB71A950DB50
                                                                    Function 03E6B69D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • CxImage::Create can't allocate memory, xrefs: 03E6B783
                                                                    • CxImage::Create : width and height must be greater than zero, xrefs: 03E6B7E3
                                                                    • CXIMAGE_MAX_MEMORY exceeded, xrefs: 03E6B6FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strcat
                                                                    • String ID: CXIMAGE_MAX_MEMORY exceeded$CxImage::Create : width and height must be greater than zero$CxImage::Create can't allocate memory
                                                                    • API String ID: 1765576173-873654341
                                                                    • Opcode ID: ee4300cdfc2a2a4420a625ee6bc262aba899984e9890afa2bece67ebacd56ec9
                                                                    • Instruction ID: 1396c1600c7b60c6044a6f85d436baa87561804a9705ae39aa3758370bc3d082
                                                                    • Opcode Fuzzy Hash: ee4300cdfc2a2a4420a625ee6bc262aba899984e9890afa2bece67ebacd56ec9
                                                                    • Instruction Fuzzy Hash: F141D4756803068BDF18DF2A88C16AAB7A5BF85384F18777ED806CE386D7B0E441C790
                                                                    Function 03E2A447 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E2A4D5
                                                                    • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 03E2A4FE
                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 03E2A510
                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 03E2A521
                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 03E2A53D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend_memset
                                                                    • String ID: (
                                                                    • API String ID: 2997958587-3887548279
                                                                    • Opcode ID: 5554ceadbe339e6cccdc270ea4110aec985b48bcc55ff872306fd594fec9d23a
                                                                    • Instruction ID: f9f8664b6988e336ca09f2348071af57008746a533404aa91b32cec85b7df942
                                                                    • Opcode Fuzzy Hash: 5554ceadbe339e6cccdc270ea4110aec985b48bcc55ff872306fd594fec9d23a
                                                                    • Instruction Fuzzy Hash: 69318E756003219FCB20EFB9D988A6EFBB8BF49214B18177DE5429B691DB70E800CB50
                                                                    Function 03E2A448 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E2A4D5
                                                                    • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 03E2A4FE
                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 03E2A510
                                                                    • GetWindowLongA.USER32(?,000000FC), ref: 03E2A521
                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 03E2A53D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend_memset
                                                                    • String ID: (
                                                                    • API String ID: 2997958587-3887548279
                                                                    • Opcode ID: 2963aecfad359c1ab3fdef5801265be498765eda70a81665bc271c6d428eb8a7
                                                                    • Instruction ID: 71198ad7e4194e3f31a1897322087037ad9da91ee8cc634b3106c20c7be34e94
                                                                    • Opcode Fuzzy Hash: 2963aecfad359c1ab3fdef5801265be498765eda70a81665bc271c6d428eb8a7
                                                                    • Instruction Fuzzy Hash: 2A31A3756003259FCB20EFA9D988A6EFBF8BF49214B18177DE5429B691DF70E800CB50
                                                                    Function 03ECE27E Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindow.USER32(?,00000002), ref: 03ECE299
                                                                    • GetParent.USER32(?), ref: 03ECE2AA
                                                                    • GetWindow.USER32(?,00000002), ref: 03ECE2CD
                                                                    • GetWindow.USER32(?,00000002), ref: 03ECE2DF
                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 03ECE2EE
                                                                    • IsWindowVisible.USER32(?), ref: 03ECE308
                                                                    • GetTopWindow.USER32(?), ref: 03ECE32E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$LongParentVisible
                                                                    • String ID:
                                                                    • API String ID: 506644340-0
                                                                    • Opcode ID: 0e8366ddf8f17a741afb56e4a8d7426d28053e995928d61b4be1225f691eb7a3
                                                                    • Instruction ID: a538c0b5237dbe5750aabdd248630edab3363da0754acdcc467f2c2f59002276
                                                                    • Opcode Fuzzy Hash: 0e8366ddf8f17a741afb56e4a8d7426d28053e995928d61b4be1225f691eb7a3
                                                                    • Instruction Fuzzy Hash: 1221C432A107A4A7C621FA799D08F6FB6ACBF84356F0D272CFD81A7140D614FC01C660
                                                                    Function 03E2F524 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E2F504
                                                                    • GetMenuItemInfoA.USER32 ref: 03E2F52C
                                                                    • GetMenuItemInfoA.USER32(?,?,00000000,?), ref: 03E2F553
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 03E2F5B8
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 03E2F5C1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenuMetricsSystem$_memset
                                                                    • String ID: @
                                                                    • API String ID: 2935605626-2766056989
                                                                    • Opcode ID: c144e152c5c06ddcc0c56d43baca6f130163f90e9c0b201c8a228fc6bf1eac5a
                                                                    • Instruction ID: 93e25d27abc3e7d1409857a0e2a52e617681b8b6839b414c11c084794b4d37b7
                                                                    • Opcode Fuzzy Hash: c144e152c5c06ddcc0c56d43baca6f130163f90e9c0b201c8a228fc6bf1eac5a
                                                                    • Instruction Fuzzy Hash: A0312175904219AFCB01EFE9DC94FEDFBB8BF14304F149215E516AB281DB70A905CB64
                                                                    Function 03E7CDA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(user32.dll,03E741D5,00000000), ref: 03E7CDC9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID: EnumDisplayDevicesA$user32.dll
                                                                    • API String ID: 1029625771-2278183399
                                                                    • Opcode ID: c4dde13e64feb38eef454dd75f4f2012550c7c9e9c441e3468c1a354bdae689c
                                                                    • Instruction ID: c00e8c63b9ec7dc70d50f3155fbb542d68131765cd414984b53ab7324c8c5889
                                                                    • Opcode Fuzzy Hash: c4dde13e64feb38eef454dd75f4f2012550c7c9e9c441e3468c1a354bdae689c
                                                                    • Instruction Fuzzy Hash: 7B21F632200225BBCB21DF34AC885FF7B7EEB45354F2496F9E496EB041EA7095898B50
                                                                    Function 03E655C6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 03E6562F
                                                                    • GetSysColorBrush.USER32(00000005), ref: 03E6563A
                                                                    • RegisterClassExA.USER32(00000030), ref: 03E65662
                                                                    • RegisterClassExA.USER32(00000030), ref: 03E6567E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ClassRegister$BrushColorCursorLoad
                                                                    • String ID: 0$SplashScreenExClass
                                                                    • API String ID: 4047181095-2521771386
                                                                    • Opcode ID: 7613e68e86db4d27f6be2bae67ac2a2e854914cc39d6cc8df0eb019ad45f1e00
                                                                    • Instruction ID: bedd170b47aa256c63da99baf06d05eee969b5062560a8818ffa7052071e1fa5
                                                                    • Opcode Fuzzy Hash: 7613e68e86db4d27f6be2bae67ac2a2e854914cc39d6cc8df0eb019ad45f1e00
                                                                    • Instruction Fuzzy Hash: D6214871A00318AFDB11DFAAD848BAEFBF8BF45344F14861AE551E7290DB74A540CF64
                                                                    Function 03EC97CB Relevance: 10.6, APIs: 7, Instructions: 79windowthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFocus.USER32(00000000,00000000), ref: 03EC97E9
                                                                    • GetParent.USER32(?), ref: 03EC97F7
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 03EC9812
                                                                    • GetCurrentProcessId.KERNEL32 ref: 03EC9818
                                                                    • GetActiveWindow.USER32 ref: 03EC986B
                                                                    • SendMessageA.USER32(?,00000006,00000001,00000000), ref: 03EC987F
                                                                    • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 03EC9893
                                                                      • Part of subcall function 03E2D68D: EnableWindow.USER32(?,?), ref: 03E2D69A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
                                                                    • String ID:
                                                                    • API String ID: 2169720751-0
                                                                    • Opcode ID: 3e7f7dfece978b3cc87d3a8d91fef68ee89892ee95f901e45cc7fb2df9351967
                                                                    • Instruction ID: ba0dc5f88421e691eb197c6c791c2ca97b9f6b486dfa43f79060218577ca6112
                                                                    • Opcode Fuzzy Hash: 3e7f7dfece978b3cc87d3a8d91fef68ee89892ee95f901e45cc7fb2df9351967
                                                                    • Instruction Fuzzy Hash: 2A21BC32610704AFCB21EF25DDC8BAEBBB9BF44704F085728F48A9B591CB71B4428B50
                                                                    Function 03E7CE76 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E788D1: GetVersionExA.KERNEL32(?,03E741B9), ref: 03E788F3
                                                                    • LoadLibraryA.KERNEL32(user32.dll,Microsoft Virtual Machine Bus,00000000), ref: 03E7CEAE
                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 03E7CEC6
                                                                    • FreeLibrary.KERNEL32(?), ref: 03E7CED8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProcVersion
                                                                    • String ID: EnumDisplayDevicesA$Microsoft Virtual Machine Bus$user32.dll
                                                                    • API String ID: 493525861-374353394
                                                                    • Opcode ID: fbe45fc61ce984f44008b99a32675e1dee786baf2027f2809dbba478562c5f23
                                                                    • Instruction ID: 1737983a62831421bb6aa01da287570cc8342b5039460c85a02c91985233cfed
                                                                    • Opcode Fuzzy Hash: fbe45fc61ce984f44008b99a32675e1dee786baf2027f2809dbba478562c5f23
                                                                    • Instruction Fuzzy Hash: 511194B1901228BFEB10DBA4AC44EFF777CEF44768F2062A2F515F6181D3708A418BA1
                                                                    Function 03E329A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 03E329D5
                                                                    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 03E329F8
                                                                    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 03E32A14
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E32A24
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E32A2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreate$Open
                                                                    • String ID: software
                                                                    • API String ID: 1740278721-2010147023
                                                                    • Opcode ID: 34dae36f71f62b166631221686c5dd55ccbcd081f485900a8b770b8bd7b8a031
                                                                    • Instruction ID: dfc0e2569d82806a69f1623727210c27ef6fda39c0b660c0c4005577580b4261
                                                                    • Opcode Fuzzy Hash: 34dae36f71f62b166631221686c5dd55ccbcd081f485900a8b770b8bd7b8a031
                                                                    • Instruction Fuzzy Hash: 8711FB72D01118BBCB21DA96DD88CEFFFBCEF8A754B1401AAA600A2111D270AA50DB60
                                                                    Function 03E52F95 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63registrytimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E52FBE
                                                                    • RegisterClassA.USER32(00000003), ref: 03E52FDB
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 03E52FE8
                                                                    • CreateWindowExA.USER32(00000000,Win453,Win453,000A0000,80000000,00000000,80000000,00000000,00000000,00000000,00000000), ref: 03E52FFE
                                                                    • SetTimer.USER32(00000000,00000001,00001388,03E52E78), ref: 03E5301E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$ClassCreateRegisterTimerWindow
                                                                    • String ID: Win453
                                                                    • API String ID: 903783779-3507610124
                                                                    • Opcode ID: 82f4992e1c4d160a82c5e1dc4ac0863cdb9ac800e3e8a8dac163a6f764a99c56
                                                                    • Instruction ID: 49faed15d408832751dd090ae254e29c8085e3a10e4226f727e86f8dcf074461
                                                                    • Opcode Fuzzy Hash: 82f4992e1c4d160a82c5e1dc4ac0863cdb9ac800e3e8a8dac163a6f764a99c56
                                                                    • Instruction Fuzzy Hash: F2112E75E41365AACB10DF9A9C45BEFBFBCEF4A750F14414AF404A2240C7B456018BE4
                                                                    Function 03E2845D Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 03E28469
                                                                    • GetWindowRect.USER32(?,?), ref: 03E28484
                                                                    • ScreenToClient.USER32(?,?), ref: 03E28497
                                                                    • ScreenToClient.USER32(?,?), ref: 03E284A0
                                                                    • EqualRect.USER32(?,?), ref: 03E284AA
                                                                    • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 03E284D2
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 03E284DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientRectScreen$DeferEqualParent
                                                                    • String ID:
                                                                    • API String ID: 443303494-0
                                                                    • Opcode ID: 6fb229a17815124aa65617eeaafe4a88454c0e682a26542e89850e520a8455da
                                                                    • Instruction ID: 4d4dda20327a32b11f8edb6dfc53e981031a9ccfec978cd5924fa024834d8332
                                                                    • Opcode Fuzzy Hash: 6fb229a17815124aa65617eeaafe4a88454c0e682a26542e89850e520a8455da
                                                                    • Instruction Fuzzy Hash: 90111C7650022AAFDB10EFA5EC44EABBBBDFF88710B148619BD15D3658D730A910CB60
                                                                    Function 03E793DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000090,?), ref: 03E79406
                                                                    • LoadLibraryA.KERNEL32(03F483A0), ref: 03E7942A
                                                                    • GetProcAddress.KERNEL32(00000000,03F4838C), ref: 03E79440
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 03E7944B
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 03E79470
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Free$AddressDirectoryLoadProcWindows
                                                                    • String ID: :
                                                                    • API String ID: 603858699-336475711
                                                                    • Opcode ID: a3d10cb617460fe00e19b69b626636985accd3fa082be1eef806791bb555b597
                                                                    • Instruction ID: 6cb79488c20f55f4ad0bced3ec7acfe3985a7a67773ce0d38e52d885e3603a50
                                                                    • Opcode Fuzzy Hash: a3d10cb617460fe00e19b69b626636985accd3fa082be1eef806791bb555b597
                                                                    • Instruction Fuzzy Hash: 64110A31905269BEDF22EB64AC44AEE7B7C9F06348F0852D9F592A2043F7749245C761
                                                                    Function 03E24699 Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E246A0
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E246AA
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,03E2521A,03E237EB,03E27284,?,03E25C95,00000004), ref: 03E246C1
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E246CE
                                                                      • Part of subcall function 03E2379D: __CxxThrowException@8.LIBCMT ref: 03E237B1
                                                                    • _memset.LIBCMT ref: 03E246ED
                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 03E246FE
                                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 03E2471F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                                                                    • String ID:
                                                                    • API String ID: 356813703-0
                                                                    • Opcode ID: 230d6bd201bafbfcc5b13fee18ec18d66283be06e6096ea6fdd09978120f3a2a
                                                                    • Instruction ID: dc3ae7f519304b7b5c8352c0da87eabc8e8d62746e6ae14c74131a39a61cbd78
                                                                    • Opcode Fuzzy Hash: 230d6bd201bafbfcc5b13fee18ec18d66283be06e6096ea6fdd09978120f3a2a
                                                                    • Instruction Fuzzy Hash: 1D118EB8100615EFDB10FF66EC88D2BBBBAFF41325710C629E51A96665CB30AC64CF50
                                                                    Function 03E3D7F6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TlsGetValue.KERNEL32(?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D803
                                                                    • TlsGetValue.KERNEL32(03F6A9F4,?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D81A
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D82F
                                                                    • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 03E3D84A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Value$AddressHandleModuleProc
                                                                    • String ID: DecodePointer$KERNEL32.DLL
                                                                    • API String ID: 1929421221-629428536
                                                                    • Opcode ID: e6fa6063c129b922275a255ef87e31e381083afa5b020c340367700ff2352cf4
                                                                    • Instruction ID: 06cced5209424584ca923f1edeb9d17f34eae4e399221c9002a942109d0e6978
                                                                    • Opcode Fuzzy Hash: e6fa6063c129b922275a255ef87e31e381083afa5b020c340367700ff2352cf4
                                                                    • Instruction Fuzzy Hash: FAF036705016279BCA11EB35ED189EB7BB5EF433647095724E824E3178DB20E851CA91
                                                                    Function 03E3D77F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TlsGetValue.KERNEL32(03E3F234,03E3F2B4,03E3F234,00000014,03E3B638,00000000,00000FA0,03F5FD88,0000000C,03E3B697,03E11FC4,?,?,03E365EA,00000004,03F5FB80), ref: 03E3D78C
                                                                    • TlsGetValue.KERNEL32(03F6A9F4,?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214), ref: 03E3D7A3
                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,03E365EA,00000004,03F5FB80,0000000C,03E40E84,03E35E49,03E35E49,00000000,00000000,00000000,03E3D9C4,00000001,00000214), ref: 03E3D7B8
                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 03E3D7D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Value$AddressHandleModuleProc
                                                                    • String ID: EncodePointer$KERNEL32.DLL
                                                                    • API String ID: 1929421221-3682587211
                                                                    • Opcode ID: 5e4ab27471cec75fb0c237b690ab5e848e80919a4fce9538631e2618f9689be1
                                                                    • Instruction ID: 069f709e81bda37d1be43a100e2e05dc8ab5aea38468e379ceaddf4893bfc0f3
                                                                    • Opcode Fuzzy Hash: 5e4ab27471cec75fb0c237b690ab5e848e80919a4fce9538631e2618f9689be1
                                                                    • Instruction Fuzzy Hash: 1CF05474905623DBCA61FF36ED48AAF7BB89F42254B0A5720F824E3164DB70CC91CA91
                                                                    Function 03E26CE1 Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(0000000F), ref: 03E26CED
                                                                    • GetSysColor.USER32(00000010), ref: 03E26CF4
                                                                    • GetSysColor.USER32(00000014), ref: 03E26CFB
                                                                    • GetSysColor.USER32(00000012), ref: 03E26D02
                                                                    • GetSysColor.USER32(00000006), ref: 03E26D09
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 03E26D16
                                                                    • GetSysColorBrush.USER32(00000006), ref: 03E26D1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Brush
                                                                    • String ID:
                                                                    • API String ID: 2798902688-0
                                                                    • Opcode ID: 3db808ce64d6e2fa5d72e50324ed518ec7f37fb56f0eaa45c639ea357aa3680c
                                                                    • Instruction ID: ff57cc1f069f1369ad8afb16c5c97112fa311679a1daa27e9d2f6058e805d3c2
                                                                    • Opcode Fuzzy Hash: 3db808ce64d6e2fa5d72e50324ed518ec7f37fb56f0eaa45c639ea357aa3680c
                                                                    • Instruction Fuzzy Hash: F6F0F8719417489BD730BB779D09B47BAE1EFC4B10F02092ED2858BA90E6B6E0409F40
                                                                    Function 03E218D0 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a77640dd0ed1f0ac1dfec02163ef511d882ea719e5f64d97ec98978318552f7
                                                                    • Instruction ID: 3e6148d813a1007eb615a8ab1b826ee72e226633538ceba2e8ef1c21f6eeee12
                                                                    • Opcode Fuzzy Hash: 3a77640dd0ed1f0ac1dfec02163ef511d882ea719e5f64d97ec98978318552f7
                                                                    • Instruction Fuzzy Hash: 73A1D3B5E00219DFCB04CF98C895AAEBBB5FF48314F149259E516AB381D735A981CFA0
                                                                    Function 03E89A66 Relevance: 9.2, APIs: 6, Instructions: 201memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00000800), ref: 03E89A80
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E89A9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Alloc
                                                                    • String ID:
                                                                    • API String ID: 2558781224-0
                                                                    • Opcode ID: bf638f51461be1ed5d94fe9ce7c5ac00ec8ee931f6350783e97c7beaa7730975
                                                                    • Instruction ID: 407f1d7ed965063654914608c39f46caddf729560bd231ec566f9e0836af9eb2
                                                                    • Opcode Fuzzy Hash: bf638f51461be1ed5d94fe9ce7c5ac00ec8ee931f6350783e97c7beaa7730975
                                                                    • Instruction Fuzzy Hash: C9711E75A8030AAFDB11DF54DC86F9B3BA4FF25794F100115BA04AB2E1E3B0D9A08BD5
                                                                    Function 03E87701 Relevance: 9.2, APIs: 6, Instructions: 198memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00004000,00000000), ref: 03E87755
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E8776D
                                                                    • _sprintf.LIBCMT ref: 03E877D7
                                                                    • _sprintf.LIBCMT ref: 03E8784C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global_sprintf$Alloc
                                                                    • String ID:
                                                                    • API String ID: 73716161-0
                                                                    • Opcode ID: 71d2ab4d768c50ef420893af44890d6cdc4ba09e9fa839ed7c3ca0c080bae43e
                                                                    • Instruction ID: d43e23ee0c746b948917824ff0996fa8903d2c4dd5208e2c4f16e4214840f1e2
                                                                    • Opcode Fuzzy Hash: 71d2ab4d768c50ef420893af44890d6cdc4ba09e9fa839ed7c3ca0c080bae43e
                                                                    • Instruction Fuzzy Hash: 5B61AE76901209FFCB02EF64CC40EDF7BB9AF06204F1551A6FA4DA7201DB719A91DB64
                                                                    Function 03E8A3FF Relevance: 9.2, APIs: 6, Instructions: 193memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global_sprintf$Alloc
                                                                    • String ID:
                                                                    • API String ID: 73716161-0
                                                                    • Opcode ID: 1e332072693ac5b4c0572a4c2f38c81efbaa8173b249edcfe2ec68a879d40172
                                                                    • Instruction ID: 7d75dc3794e9fe16f580c3afb8b8856414d72e5c62bce592344a6e8d85f636c6
                                                                    • Opcode Fuzzy Hash: 1e332072693ac5b4c0572a4c2f38c81efbaa8173b249edcfe2ec68a879d40172
                                                                    • Instruction Fuzzy Hash: 5451B2B6901308BEDF11EF50DD44FEE7BBCEB04618F14526AFA0CA6040E7749A919B64
                                                                    Function 004D90E8 Relevance: 9.2, APIs: 6, Instructions: 188COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__read_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1366226143-0
                                                                    • Opcode ID: f8a34e27fb704bd0c2d14cd0080e137a41b786e6b128e75e1da93a6475a52851
                                                                    • Instruction ID: f9a62dfdb30835e7b3f92a533aa2de4fae41fbb1150f65831c0fd88592f934e8
                                                                    • Opcode Fuzzy Hash: f8a34e27fb704bd0c2d14cd0080e137a41b786e6b128e75e1da93a6475a52851
                                                                    • Instruction Fuzzy Hash: 7B51F831900206FBEF249FAA8C5899FB7B5AF41324F14876BF424D2391D7389D51CB59
                                                                    Function 03ED09D8 Relevance: 9.2, APIs: 6, Instructions: 188COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__read_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1366226143-0
                                                                    • Opcode ID: 4ccddb506480e091b716016482fe439144e9dd5d11e2721053ff3c50689720e7
                                                                    • Instruction ID: 2e68b8ce490751baced8d31423ce182d82a413534a32bedff62d431aa293397e
                                                                    • Opcode Fuzzy Hash: 4ccddb506480e091b716016482fe439144e9dd5d11e2721053ff3c50689720e7
                                                                    • Instruction Fuzzy Hash: 2551F231E00209EBCB20CF69884899EFBB5EF41328F1C9769E425A6190D7309E56CB51
                                                                    Function 03E8794A Relevance: 9.2, APIs: 6, Instructions: 168memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$_sprintf$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 4012214052-0
                                                                    • Opcode ID: 420f6315048889484520470852f6a9872293b6dffbd9e83ef7ce69aa5e9b2d7d
                                                                    • Instruction ID: 99ab1660f97afa89227fe12d9be4658462704cc3d34a71510400b8f25b5cff74
                                                                    • Opcode Fuzzy Hash: 420f6315048889484520470852f6a9872293b6dffbd9e83ef7ce69aa5e9b2d7d
                                                                    • Instruction Fuzzy Hash: D0519FB2D00219AEDF21EF60DC04FDF7BBDAF04214F245296FA4DA6140E7759A958BA0
                                                                    Function 03E7F033 Relevance: 9.2, APIs: 6, Instructions: 166fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _sprintf.LIBCMT ref: 03E7F056
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,03E741D5,03E741B9,00000000), ref: 03E7F071
                                                                    • _memset.LIBCMT ref: 03E7F0A6
                                                                    • _strncpy.LIBCMT ref: 03E7F0E1
                                                                    • DeviceIoControl.KERNEL32(00000000,0004D008,0000001C,0000003C,0000001C,0000022D,03E7A5DA,00000000), ref: 03E7F112
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E7F211
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseControlCreateDeviceFileHandle_memset_sprintf_strncpy
                                                                    • String ID:
                                                                    • API String ID: 1792689575-0
                                                                    • Opcode ID: c085c1aa7e4ef2560f5fc613fc40e7f17d45a0ed040fbd1df11609efef746163
                                                                    • Instruction ID: 8d7a40ca2824d84c8d8f44f81587ecd3cb2870eea49a97b883090b522e377072
                                                                    • Opcode Fuzzy Hash: c085c1aa7e4ef2560f5fc613fc40e7f17d45a0ed040fbd1df11609efef746163
                                                                    • Instruction Fuzzy Hash: EF51197190025AABDB21CF68CD58BEEBBB9AF05304F1452E5E949EB142E3709B46CF50
                                                                    Function 03E7CF27 Relevance: 9.1, APIs: 6, Instructions: 149registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F49390,00000000,00020019,03E74211,00000000), ref: 03E7CF51
                                                                    • RegQueryValueExA.ADVAPI32(03E74211,03F49380,00000000,03E741D5,?,00000400,03E741B9), ref: 03E7CF7C
                                                                    • RegCloseKey.ADVAPI32(03E74211), ref: 03E7CF87
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: f4e23908f425aa8a0845edee6e602d9e429aca191915ae7eed05160d6c041df8
                                                                    • Instruction ID: 26871c88fa40243107f3f20b39c156c90c59f6149cef908d105d1d593a53e87f
                                                                    • Opcode Fuzzy Hash: f4e23908f425aa8a0845edee6e602d9e429aca191915ae7eed05160d6c041df8
                                                                    • Instruction Fuzzy Hash: 4841F872504158EEDB21DFA09C98BFABBBEAB05304F1853B5DA81F7005E6718A4ECB50
                                                                    Function 03E13FC1 Relevance: 9.1, APIs: 6, Instructions: 140libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _calloc.LIBCMT ref: 03E13FE6
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 03E14011
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E14049
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 03E1409D
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E14128
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$AddressHandleModuleProc_calloc
                                                                    • String ID:
                                                                    • API String ID: 1242574779-0
                                                                    • Opcode ID: 7c9c09a07ea4c403db256e6e3d6ffdc794088d4c74d122efd076098453e347e3
                                                                    • Instruction ID: a08a1023fe8643a5d4f7e461deabaa55eb525cda8257cd1ed3653abab9b609bb
                                                                    • Opcode Fuzzy Hash: 7c9c09a07ea4c403db256e6e3d6ffdc794088d4c74d122efd076098453e347e3
                                                                    • Instruction Fuzzy Hash: 8E61E178E00209DFDB04CF95C584BAEB7B1FF49304F248699D911AB395C776AA51CF90
                                                                    Function 03E23E64 Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E23D0A: GetParent.USER32(?), ref: 03E23D5D
                                                                      • Part of subcall function 03E23D0A: GetLastActivePopup.USER32(?), ref: 03E23D6C
                                                                      • Part of subcall function 03E23D0A: IsWindowEnabled.USER32(?), ref: 03E23D81
                                                                      • Part of subcall function 03E23D0A: EnableWindow.USER32(?,00000000), ref: 03E23D94
                                                                    • EnableWindow.USER32(?,00000001), ref: 03E23EB1
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 03E23EBF
                                                                    • GetCurrentProcessId.KERNEL32(?,?), ref: 03E23EC9
                                                                    • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 03E23EDE
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 03E23F5B
                                                                    • EnableWindow.USER32(?,00000001), ref: 03E23F97
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                                                                    • String ID:
                                                                    • API String ID: 1877664794-0
                                                                    • Opcode ID: a0a10e83d8b51f3e67db68a97753ed456b9c8c283bcb5a02a94715b37f307e49
                                                                    • Instruction ID: 7782710dd7b178ccfaed91b8f222b2a296020d5d2dc715437ce6242edb7731ab
                                                                    • Opcode Fuzzy Hash: a0a10e83d8b51f3e67db68a97753ed456b9c8c283bcb5a02a94715b37f307e49
                                                                    • Instruction Fuzzy Hash: 1441C176A003689FEB30DF74EC45BDEBBB8AF05714F281219E955AB281D77495048F10
                                                                    Function 0046835E Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID:
                                                                    • API String ID: 4218353326-0
                                                                    • Opcode ID: 953021cc2ee14b11c6db341cbf3df13217ee42c370af6e2d5a401a53d0efde44
                                                                    • Instruction ID: b3cef4bc53969036392c73fe62d2a8911cdbf30d4bcf5eda3cc495279746ee77
                                                                    • Opcode Fuzzy Hash: 953021cc2ee14b11c6db341cbf3df13217ee42c370af6e2d5a401a53d0efde44
                                                                    • Instruction Fuzzy Hash: 10417071504307EFCB249F65C8C16AAB7FAFF14315B20492EF9D586242EB789981CF45
                                                                    Function 03E7EB49 Relevance: 9.1, APIs: 6, Instructions: 87registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetComputerNameA.KERNEL32(03E7A62C,03E741E3), ref: 03E7EB74
                                                                    • _strncpy.LIBCMT ref: 03E7EB8D
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03E7EBA8
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F49564,00000000,00020019,?), ref: 03E7EBC2
                                                                    • RegQueryValueExA.ADVAPI32(?,03F49554,00000000,?,?,?), ref: 03E7EBF2
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E7EBFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseComputerErrorLastNameOpenQueryValue_strncpy
                                                                    • String ID:
                                                                    • API String ID: 3427535221-0
                                                                    • Opcode ID: e6982f566a3446387e1bc11b80edff9832c8cea28af534f76669184cfa43436d
                                                                    • Instruction ID: 812e83fed21560f793eb66d4fa6c18a3e831f79c9f86586f1aab69dc1cc99cb5
                                                                    • Opcode Fuzzy Hash: e6982f566a3446387e1bc11b80edff9832c8cea28af534f76669184cfa43436d
                                                                    • Instruction Fuzzy Hash: FC218176901218BEEF21DFE4DC49EEEFBBCEB48244F1406A5EA01F6050D2709A448761
                                                                    Function 03E7840C Relevance: 9.1, APIs: 6, Instructions: 75libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(03F48380), ref: 03E7842F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: b1dbc70f6bab67de254887472e560120644b78cfab09ec52f2601a124284b26a
                                                                    • Instruction ID: 92e7d3b598e0ef1174508f768dc5576f6259fc49d4d65ca63ef6c363e1076ab9
                                                                    • Opcode Fuzzy Hash: b1dbc70f6bab67de254887472e560120644b78cfab09ec52f2601a124284b26a
                                                                    • Instruction Fuzzy Hash: 2E114831A00218BFCB11DBB9CC4DAAEBFFCEF55699F044166F915E7150E6B5D900CA90
                                                                    Function 03E8B1EA Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B227
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B242
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B25D
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B278
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B293
                                                                    • FreeLibrary.KERNEL32(?,00000000,00000000,03E8BA75,00000000,00000000), ref: 03E8B29F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 2760834801-0
                                                                    • Opcode ID: 7827f828602fb2d31f85ce7841eba303e68eb8fd6105beac158e2883f0eeb304
                                                                    • Instruction ID: 939d2cee45fd70d85df3e8184784205b0540e9d8aefca1e58aec1319526e3417
                                                                    • Opcode Fuzzy Hash: 7827f828602fb2d31f85ce7841eba303e68eb8fd6105beac158e2883f0eeb304
                                                                    • Instruction Fuzzy Hash: 5821C776A017438BDB20AFB9988869AF7F9FF45209B641E2DD55ED7100DB30B4148A94
                                                                    Function 03E5FF2B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <?xml
                                                                    • API String ID: 0-3289271068
                                                                    • Opcode ID: 80ce27d81466eddf39abebc71e2298192c523ad79736dd013d9435f6bf790eac
                                                                    • Instruction ID: 6ef3096cc2c73867b361486eb6ba4ed4a1769e93dcf092d0357eede2958ad073
                                                                    • Opcode Fuzzy Hash: 80ce27d81466eddf39abebc71e2298192c523ad79736dd013d9435f6bf790eac
                                                                    • Instruction Fuzzy Hash: 4CB1E47058C7568FC724CF18C480BB6B7A5FB95288F186B6EE5C287256C7B49882CB51
                                                                    Function 03E79950 Relevance: 9.1, APIs: 6, Instructions: 68fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E7459F: GetVersionExA.KERNEL32(?), ref: 03E745B9
                                                                    • CreateFileA.KERNEL32(03F48C64,C0000000,00000003,00000000,00000003,40000000,00000000), ref: 03E7998C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileVersion
                                                                    • String ID:
                                                                    • API String ID: 3921466578-0
                                                                    • Opcode ID: 46f78155a4ca9b1b79469f70239f766edfc43b66a3dd022ab8a5fc262de058d8
                                                                    • Instruction ID: 27df01965208211693afd8de7503f0e2c52a7b084e80d04d0dfe0418298a61b0
                                                                    • Opcode Fuzzy Hash: 46f78155a4ca9b1b79469f70239f766edfc43b66a3dd022ab8a5fc262de058d8
                                                                    • Instruction Fuzzy Hash: F1119E76901128BAEB11EBA6EC49EEFBF7CDF49760F104212FA11F2280D7705601CBA1
                                                                    Function 03E799ED Relevance: 9.1, APIs: 6, Instructions: 65fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E778E4: GetModuleHandleA.KERNEL32(03F48958,03F48964,?,?,?,03E74BA2,?,?,?,?,?,?,?,?,[varPassword]), ref: 03E778F3
                                                                      • Part of subcall function 03E778E4: GetProcAddress.KERNEL32(00000000), ref: 03E778FA
                                                                      • Part of subcall function 03E778E4: GetCurrentProcess.KERNEL32(00000000,?,?), ref: 03E7790E
                                                                    • CreateFileA.KERNEL32(03F48C74,C0000000,00000003,00000000,00000003,40000000,00000000), ref: 03E79A2C
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03E79A39
                                                                    • DeviceIoControl.KERNEL32(00000000,0022E000,00000000,00000000,?,00000008,?,?), ref: 03E79A58
                                                                    • GetOverlappedResult.KERNEL32(00000000,?,?,00000001), ref: 03E79A69
                                                                    • CloseHandle.KERNEL32(?), ref: 03E79A78
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E79A7B
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseCreate$AddressControlCurrentDeviceEventFileModuleOverlappedProcProcessResult
                                                                    • String ID:
                                                                    • API String ID: 3754826857-0
                                                                    • Opcode ID: 2aec34335ec5b4637223e3643b285cbc5755cc246ed082dc3380176ce744b863
                                                                    • Instruction ID: c558e31bdbf9e31fa2a24ff0ae09df0f32b426e63d8c0e599997b0731bcf7db6
                                                                    • Opcode Fuzzy Hash: 2aec34335ec5b4637223e3643b285cbc5755cc246ed082dc3380176ce744b863
                                                                    • Instruction Fuzzy Hash: 54113672901228BADB11AAA6EC48FEFBFBCEF49650F104616F611F2180D7B05601CBA1
                                                                    Function 03E67930 Relevance: 9.1, APIs: 6, Instructions: 63threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,00000000,03E6766A,?,00000000,?), ref: 03E6795D
                                                                    • WaitForSingleObject.KERNEL32(00000000,?,?,00000000,?), ref: 03E67973
                                                                    • TerminateThread.KERNEL32(00000000,00000000,?,00000000,?), ref: 03E67982
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 03E67989
                                                                      • Part of subcall function 03E6766A: __EH_prolog3.LIBCMT ref: 03E67689
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E676AD
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E676C9
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E676E8
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E6770A
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E67721
                                                                      • Part of subcall function 03E6766A: _memset.LIBCMT ref: 03E6773D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Thread$CloseCreateH_prolog3HandleObjectSingleTerminateWait
                                                                    • String ID:
                                                                    • API String ID: 2679943387-0
                                                                    • Opcode ID: 2fd2d10f5197c6a93eb5e249c33f831478be6813893bcb6094f5e50fae0b28cb
                                                                    • Instruction ID: 5e3ceca09b66a466965a561ba0b84b65674d44f82a4d1b7db12f421ab50b910a
                                                                    • Opcode Fuzzy Hash: 2fd2d10f5197c6a93eb5e249c33f831478be6813893bcb6094f5e50fae0b28cb
                                                                    • Instruction Fuzzy Hash: 8A11C271240215BBE710EB64ACC4EBFBAFDEB4569CF14162AF506E5244D7648C018731
                                                                    Function 03E56C64 Relevance: 9.1, APIs: 6, Instructions: 60threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,00000000,03E56920,?,00000000,?), ref: 03E56C94
                                                                    • WaitForSingleObject.KERNEL32(00000000,?,?,00000000,?), ref: 03E56CAA
                                                                    • TerminateThread.KERNEL32(00000000,00000000,?,00000000,?), ref: 03E56CB9
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 03E56CC0
                                                                      • Part of subcall function 03E569C9: __EH_prolog3_GS.LIBCMT ref: 03E569D0
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CloseCreateH_prolog3_HandleObjectSingleTerminateWait
                                                                    • String ID:
                                                                    • API String ID: 1316626715-0
                                                                    • Opcode ID: 44d305e7179c4ae5c5d4a8efa8a4181ed56e960507d398b7c9bbf369a37b59c1
                                                                    • Instruction ID: 196fcbb2acdc702e5e3072becf68e96b310a18bb1ee4fde0a61d583429adba21
                                                                    • Opcode Fuzzy Hash: 44d305e7179c4ae5c5d4a8efa8a4181ed56e960507d398b7c9bbf369a37b59c1
                                                                    • Instruction Fuzzy Hash: C5116DB1600214BFD711EB65ACC8EBFFBBDEB46245B94666AF902E2140DB749D018630
                                                                    Function 03EBFEA3 Relevance: 9.1, APIs: 6, Instructions: 58registryclipboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowA.USER32(03F53A80,03F53A88), ref: 03EBFEB4
                                                                    • RegisterClipboardFormatA.USER32(03F53D94), ref: 03EBFEC8
                                                                    • RegisterClipboardFormatA.USER32(03F53D7C), ref: 03EBFED4
                                                                    • RegisterClipboardFormatA.USER32(03F53A9C), ref: 03EBFEE0
                                                                    • SendMessageA.USER32(?,?,00000000,00000000), ref: 03EBFEFB
                                                                    • SendMessageA.USER32(?,?,00000000,00000000), ref: 03EBFF17
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                    • String ID:
                                                                    • API String ID: 1416857345-0
                                                                    • Opcode ID: d85c9166339c3bd3ee0528b726dd88da17f4943046a288688a2c8a9fec85c90c
                                                                    • Instruction ID: ba2baa3c185fe52a4fe96006be8a5d3b3a4b2997c16db1a4fbbeb5e8735ca9af
                                                                    • Opcode Fuzzy Hash: d85c9166339c3bd3ee0528b726dd88da17f4943046a288688a2c8a9fec85c90c
                                                                    • Instruction Fuzzy Hash: 69112ABAA00219FFCB01DFB8DC859AE7BB9EF49294B100456F901E7201D770ED11CBA0
                                                                    Function 03E2F188 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFocus.USER32 ref: 03E2F189
                                                                    • GetParent.USER32(00000000), ref: 03E2F1B2
                                                                      • Part of subcall function 03E2F074: GetWindowLongA.USER32(?,000000F0), ref: 03E2F093
                                                                      • Part of subcall function 03E2F074: GetClassNameA.USER32(?,?,0000000A), ref: 03E2F0A8
                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 03E2F1CD
                                                                    • GetParent.USER32(?), ref: 03E2F1DB
                                                                    • GetDesktopWindow.USER32 ref: 03E2F1DF
                                                                    • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 03E2F1F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$LongParent$ClassDesktopFocusMessageNameSend
                                                                    • String ID:
                                                                    • API String ID: 3020784601-0
                                                                    • Opcode ID: a8d9963d51f1446905b9f36b3019718062406e08641d92e14dd877f7eab3744f
                                                                    • Instruction ID: 352a6ee5ccf59579b705b01f365c2361b7b553c163af6d2a93dd0a4dcdc33463
                                                                    • Opcode Fuzzy Hash: a8d9963d51f1446905b9f36b3019718062406e08641d92e14dd877f7eab3744f
                                                                    • Instruction Fuzzy Hash: 51F0C83590173166E232B239AD54FAFD97D5F85B24FAD1310F914B718A9F24D90340E5
                                                                    Function 03E2F116 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 03E2F125
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 03E2F139
                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 03E2F147
                                                                    • GetWindowRect.USER32(00000000,?), ref: 03E2F159
                                                                    • PtInRect.USER32(?,?,?), ref: 03E2F169
                                                                    • GetWindow.USER32(?,00000005), ref: 03E2F176
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientCtrlLongScreen
                                                                    • String ID:
                                                                    • API String ID: 1315500227-0
                                                                    • Opcode ID: 11a387d12a2b10d6e4443c0235d03e1f634b2f268e113b77dff0e940d5dba122
                                                                    • Instruction ID: 43ea96bfa54d6c3b2c588bf167251b371a5f3a00465377a893f05b8da0d9432b
                                                                    • Opcode Fuzzy Hash: 11a387d12a2b10d6e4443c0235d03e1f634b2f268e113b77dff0e940d5dba122
                                                                    • Instruction Fuzzy Hash: 4C018B32901139BBCB12AF6AEC08EEF7B7CEF40654F444211F911A6045DB30E6228B94
                                                                    Function 03E68865 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 03E68876
                                                                    • GetParent.USER32(?), ref: 03E6889B
                                                                      • Part of subcall function 03E3028D: ScreenToClient.USER32(?,03E290DE), ref: 03E302A1
                                                                      • Part of subcall function 03E3028D: ScreenToClient.USER32(?,03E290E6), ref: 03E302AA
                                                                    • GetParent.USER32(?), ref: 03E688AD
                                                                    • InvalidateRect.USER32(?,?,00000001,00000000), ref: 03E688BE
                                                                    • GetParent.USER32(?), ref: 03E688C7
                                                                    • UpdateWindow.USER32(?), ref: 03E688D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Parent$ClientRectScreenWindow$InvalidateUpdate
                                                                    • String ID:
                                                                    • API String ID: 4273046897-0
                                                                    • Opcode ID: 098c7e757e3b1c32ede5a0a36919e4d4e565278023ec8af65e912aa4ae25553f
                                                                    • Instruction ID: 61a5572f46c1fa5a4ef6c2a09ba55b8b3e7615fd942cff5824fd5bc6ec5d64ad
                                                                    • Opcode Fuzzy Hash: 098c7e757e3b1c32ede5a0a36919e4d4e565278023ec8af65e912aa4ae25553f
                                                                    • Instruction Fuzzy Hash: 3501FB76510224ABDB20BBB1EC09E6F7B79FF88301F010624F5869A075EA71B820CB60
                                                                    Function 004939C0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf
                                                                    • String ID:
                                                                    • API String ID: 1467051239-3916222277
                                                                    • Opcode ID: e14762e79777d38e913947543b6839f4a3868574fa1b3737dff88f2efa11ebe1
                                                                    • Instruction ID: 0e4ace59efb076a4e7ad1c42bf34656688cbd6078e3be47fcd4b345105853916
                                                                    • Opcode Fuzzy Hash: e14762e79777d38e913947543b6839f4a3868574fa1b3737dff88f2efa11ebe1
                                                                    • Instruction Fuzzy Hash: E5818D72900128BFEF119F64CD88EEA3F7EEB05741F0040A6F606E6664C7B89E41DB54
                                                                    Function 03E668AF Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E66915
                                                                    • _memset.LIBCMT ref: 03E66927
                                                                      • Part of subcall function 03E60CFE: _malloc.LIBCMT ref: 03E60D11
                                                                      • Part of subcall function 03E60880: CloseHandle.KERNEL32(03E66972,03E66972), ref: 03E608D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseHandle_malloc
                                                                    • String ID: &#$(F()@#)$*&R&VHjDH*(#9@(@*&$V*><UJ&$IPStringTable$abc
                                                                    • API String ID: 2591600813-2093929439
                                                                    • Opcode ID: ad85fcfc080d231a4550abe177b0ed52752369877dab392594c1aeb0367f9c7c
                                                                    • Instruction ID: 4a0a3a66cbcdaa87a68132da82b84ee7b06f282f80442f52ec11bfa4ef7c1569
                                                                    • Opcode Fuzzy Hash: ad85fcfc080d231a4550abe177b0ed52752369877dab392594c1aeb0367f9c7c
                                                                    • Instruction Fuzzy Hash: 3B41D9B6944218BEDB20EF94DC81EFFB7BDFF08250F141629FA15AA240E6305E40C764
                                                                    Function 004813B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strncmp
                                                                    • String ID: 3
                                                                    • API String ID: 1416122760-1842515611
                                                                    • Opcode ID: f7fed535fd2c69fddbd68f037162f898d48b7ea8b51508a91fe14e1cec07e993
                                                                    • Instruction ID: 7ee6a8e86afe29070841a8affb3792b3a18a2d05c0be8db2a58b49da0b87318d
                                                                    • Opcode Fuzzy Hash: f7fed535fd2c69fddbd68f037162f898d48b7ea8b51508a91fe14e1cec07e993
                                                                    • Instruction Fuzzy Hash: B141D972C042B86ADF22DBF48C44BEE7BB8AF55305F4804CBE94166295D7FC4609C755
                                                                    Function 03E35A8F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFix.KERNEL32(?), ref: 03E35AB9
                                                                    • lstrlen.KERNEL32(?), ref: 03E35B01
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 03E35B1B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharGlobalMultiWidelstrlen
                                                                    • String ID: System
                                                                    • API String ID: 1200732322-3470857405
                                                                    • Opcode ID: 35289eb7659ee3cc840b773c383aaf8321f070a37f79afbb6c74a3f203c3c9e5
                                                                    • Instruction ID: fa45b59fb56c93bde50e7b79169bf8d9eb125c7186526d533492da242fe13b45
                                                                    • Opcode Fuzzy Hash: 35289eb7659ee3cc840b773c383aaf8321f070a37f79afbb6c74a3f203c3c9e5
                                                                    • Instruction Fuzzy Hash: BD418171900219DFDB14DFA4CC89AAEFBB9FF06314F189729E412AB2C8E7709955CB50
                                                                    Function 00481957 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strncmp
                                                                    • String ID: 3
                                                                    • API String ID: 1416122760-1842515611
                                                                    • Opcode ID: 93ce916e7a85c57617baecb505fcd5b0991c25d6f8db6fae1ecd6049ae9789a7
                                                                    • Instruction ID: 38a1f2c03932c4a20e1db00ec300625a876f2bd574ce0fe0cea739cf53325f0e
                                                                    • Opcode Fuzzy Hash: 93ce916e7a85c57617baecb505fcd5b0991c25d6f8db6fae1ecd6049ae9789a7
                                                                    • Instruction Fuzzy Hash: 43313671D04298AADF11DFE5CC44BCEBFB8AF05305F00409AE914F7281D3784A06CB91
                                                                    Function 03E66ED5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E66EFA
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _realloc.LIBCMT ref: 03E66F2E
                                                                      • Part of subcall function 03E362D5: _malloc.LIBCMT ref: 03E362EB
                                                                    • lstrcpy.KERNEL32(00000004,03E566D0), ref: 03E66F49
                                                                    • lstrcpy.KERNEL32(00000108,03EDDBF0), ref: 03E66F57
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloclstrcpy$AllocateHeap_realloc
                                                                    • String ID: Icon
                                                                    • API String ID: 1059797654-3316025061
                                                                    • Opcode ID: dd4170216ffb160682e472630aeba32ef28cfe81cb9d686faf4f5413f9fb9306
                                                                    • Instruction ID: efc047f86f2c72ea93156d55395b0eb11e9472a375bbd590164aa06c87270dea
                                                                    • Opcode Fuzzy Hash: dd4170216ffb160682e472630aeba32ef28cfe81cb9d686faf4f5413f9fb9306
                                                                    • Instruction Fuzzy Hash: D82181B6951319ABCB10DF65C884A9FF3F9FF84254F145629E415E7241DB70EA00CBA0
                                                                    Function 03EC8BCB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 03EC8C3D
                                                                    • UpdateWindow.USER32(?), ref: 03EC8C54
                                                                    • GetParent.USER32(?), ref: 03EC8CBC
                                                                    • PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 03EC8CD8
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
                                                                    • String ID: @
                                                                    • API String ID: 33412044-2766056989
                                                                    • Opcode ID: 6eb4a4838ebdc2f27d0b4f03d42c7bef60006a5ff6769d9f4c7376c5d251e334
                                                                    • Instruction ID: b3b9b12d8b0463001d41fef0e65b4daad225c4e5434532c51749fa05a7a3e683
                                                                    • Opcode Fuzzy Hash: 6eb4a4838ebdc2f27d0b4f03d42c7bef60006a5ff6769d9f4c7376c5d251e334
                                                                    • Instruction Fuzzy Hash: C6319131211744AFDB20DF21CF44FAFB7F9BF40319F14962DE59A96190CB71A8558B12
                                                                    Function 03E27ABB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 03E27AF9
                                                                    • GetSystemMetrics.USER32(00000000), ref: 03E27B11
                                                                    • GetSystemMetrics.USER32(00000001), ref: 03E27B18
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: System$Metrics$InfoParameters
                                                                    • String ID: B$DISPLAY
                                                                    • API String ID: 3136151823-3316187204
                                                                    • Opcode ID: dc80afa0a3684de5d95e9d2fce87f3568f602fd5273f628698a7bdb94957dd9f
                                                                    • Instruction ID: 331004f5cf991ebb7db5499b9e9e704225952ec34dc5b7b58677cb73e888775a
                                                                    • Opcode Fuzzy Hash: dc80afa0a3684de5d95e9d2fce87f3568f602fd5273f628698a7bdb94957dd9f
                                                                    • Instruction Fuzzy Hash: 2711CE72A01334ABCB11EF649C94A9BFFAAEF05B41B046261FC04AE006D6B19590CBA0
                                                                    Function 03E35BDE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStockObject.GDI32(00000011), ref: 03E35C04
                                                                    • GetStockObject.GDI32(0000000D), ref: 03E35C0C
                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 03E35C19
                                                                    • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 03E35C48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Stock
                                                                    • String ID: System
                                                                    • API String ID: 1996491644-3470857405
                                                                    • Opcode ID: 287506ced33856162cc74d9cbaa92795a90c09c3b8c0d0d076aaf2edd1c1f7c3
                                                                    • Instruction ID: af65eeec31b77781da4238a05bd1d35d2ea9b3c3add8be025b4f9059f297d33a
                                                                    • Opcode Fuzzy Hash: 287506ced33856162cc74d9cbaa92795a90c09c3b8c0d0d076aaf2edd1c1f7c3
                                                                    • Instruction Fuzzy Hash: 5A115875641228ABDB10EBA2ED49FAE7BB8EF46745F040215FA01AB1C4DB709D05C760
                                                                    Function 03E3500B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Edit
                                                                    • API String ID: 0-554135844
                                                                    • Opcode ID: 61ecdc899e3e8abda860956d349765fac962f1debbe196bab40c6ee50200ea91
                                                                    • Instruction ID: 161373f2898da083720c0a413dc5235e23ebcec37108b16a37f8b1238b2bfb7b
                                                                    • Opcode Fuzzy Hash: 61ecdc899e3e8abda860956d349765fac962f1debbe196bab40c6ee50200ea91
                                                                    • Instruction Fuzzy Hash: 1001A135200311ABEA30E6369C0CBEAF77D6F43645F082B25E086D52F5DB62D850CD90
                                                                    Function 0047F2CE Relevance: 7.9, APIs: 5, Instructions: 360COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_sprintf
                                                                    • String ID:
                                                                    • API String ID: 891462717-0
                                                                    • Opcode ID: 44a4640b8b817e6db687d3f55c63c4689b89ea52a79b5f847b0d79151729a25a
                                                                    • Instruction ID: b7803c77e3f7b50fdf92408227fefb418939ba39426be70e51a1f80fe1d39574
                                                                    • Opcode Fuzzy Hash: 44a4640b8b817e6db687d3f55c63c4689b89ea52a79b5f847b0d79151729a25a
                                                                    • Instruction Fuzzy Hash: BDD16B72804119ABDF21DF95CC81EEEBBB8EF54310F1480ABF908A6251D7399F45CB99
                                                                    Function 004D5804 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3
                                                                    • String ID:
                                                                    • API String ID: 2144794740-0
                                                                    • Opcode ID: 81efe3500bc158d7f334963093449bd3c939890417c625e7b0f823d4e0d72343
                                                                    • Instruction ID: 5ec079d67c3967fbce9cccb0833e7f7b15c4005becad9ee55bfdbda40ca1699f
                                                                    • Opcode Fuzzy Hash: 81efe3500bc158d7f334963093449bd3c939890417c625e7b0f823d4e0d72343
                                                                    • Instruction Fuzzy Hash: 35A16771C006599FEF20DFA8C894AAEBBB4FF04304F64416BE915AB391DB389A45CF54
                                                                    Function 03ECC5B9 Relevance: 7.8, APIs: 5, Instructions: 255memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03ECC5D2
                                                                    • MapDialogRect.USER32(?,00000000), ref: 03ECC663
                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 03ECC682
                                                                      • Part of subcall function 03E236A8: _malloc.LIBCMT ref: 03E236C2
                                                                    • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,?,00000004,00000000), ref: 03ECC816
                                                                    • SysFreeString.OLEAUT32(00000000), ref: 03ECC868
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String$AllocDialogFreeH_prolog3RectWindow_malloc
                                                                    • String ID:
                                                                    • API String ID: 4007256086-0
                                                                    • Opcode ID: cea730292902100e94801a75d0fb0dd49cad326376ae588cd9177931b1cbc000
                                                                    • Instruction ID: d7e5263efbd5bbd0cf56231bc89f284ff5a1c0c6183e72d0c4f55681afe74b0b
                                                                    • Opcode Fuzzy Hash: cea730292902100e94801a75d0fb0dd49cad326376ae588cd9177931b1cbc000
                                                                    • Instruction Fuzzy Hash: B9B114B5910259EFCB04DF68CA84AEEBBB4FF08308F145229FC1997240E774E995CB94
                                                                    Function 00455B13 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strlen
                                                                    • String ID:
                                                                    • API String ID: 1975251954-0
                                                                    • Opcode ID: 3fbff597dbbef0d8c46f759f45e44ee239e65901f9ef431e2afc863e879bd340
                                                                    • Instruction ID: 168f75340c1de5db3f9ba2db86042dcd851fc60d4e4aeb749811aa6f470a49f3
                                                                    • Opcode Fuzzy Hash: 3fbff597dbbef0d8c46f759f45e44ee239e65901f9ef431e2afc863e879bd340
                                                                    • Instruction Fuzzy Hash: CAA192B26006489FDB21EB65CC95FFF77EDAB45309F04440EE909D7242DB38AA49CB25
                                                                    Function 0049320E Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset_sprintf$_malloc
                                                                    • String ID:
                                                                    • API String ID: 2967775176-0
                                                                    • Opcode ID: 7dbb4ac64cd5f9ac7191e6c94fc84dbc2e1972d31ace3c282fc3af4b9159892f
                                                                    • Instruction ID: 89012d28724259a100138e118861ae69baa978c0ef98ec269c16e7e5bc04a9c6
                                                                    • Opcode Fuzzy Hash: 7dbb4ac64cd5f9ac7191e6c94fc84dbc2e1972d31ace3c282fc3af4b9159892f
                                                                    • Instruction Fuzzy Hash: 9471AE3190410AAFDF119F648C89AEE7FB9EB06305F1040AAF841A7251DB399F498B98
                                                                    Function 03E8AAFE Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset_sprintf$_malloc
                                                                    • String ID:
                                                                    • API String ID: 2967775176-0
                                                                    • Opcode ID: aeb02c0e6a5df0854709d5f7fe23952393b1cb7c532fe6db18349348b77a36fe
                                                                    • Instruction ID: 068f4776adaf5d056701d89a840d9595804ca1d1969be95548a8024f8887c9ac
                                                                    • Opcode Fuzzy Hash: aeb02c0e6a5df0854709d5f7fe23952393b1cb7c532fe6db18349348b77a36fe
                                                                    • Instruction Fuzzy Hash: E0717471D0410AAFDF15EF68CC98AFEBB79EF06208F1852A5E84DE7250D7319A45CB90
                                                                    Function 004D88D5 Relevance: 7.7, APIs: 5, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _wctomb_s
                                                                    • String ID:
                                                                    • API String ID: 2865277502-0
                                                                    • Opcode ID: 3aec9f3470c78a79ae05098f22f3b4cf88a8d4724e5e8c19ec1a688ab151c3d7
                                                                    • Instruction ID: 9c0c33f28aea349fc793a69d20ffa13a4576ce4543a769dccadbc3e40ffff999
                                                                    • Opcode Fuzzy Hash: 3aec9f3470c78a79ae05098f22f3b4cf88a8d4724e5e8c19ec1a688ab151c3d7
                                                                    • Instruction Fuzzy Hash: C261A0B180428AEFCF219F5488B15BE3B61AF11354B6441BFF9A466340DB388D91CB9F
                                                                    Function 03ED01C5 Relevance: 7.7, APIs: 5, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _wctomb_s
                                                                    • String ID:
                                                                    • API String ID: 2865277502-0
                                                                    • Opcode ID: eefada11dacc84ca9b92f6bb08b0ddd819449891015164cf63ab7166e4b52e43
                                                                    • Instruction ID: 7efb4d5390d5ac254e7eed9926176f0bcce723616e455f466cf230facfb5f5fe
                                                                    • Opcode Fuzzy Hash: eefada11dacc84ca9b92f6bb08b0ddd819449891015164cf63ab7166e4b52e43
                                                                    • Instruction Fuzzy Hash: B4619C7180528AEFCF21CF5888844EEBBB1BB06318F6D637EE9545A141D3309E86CB85
                                                                    Function 03E70043 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _printf_strcat
                                                                    • String ID:
                                                                    • API String ID: 2039320651-0
                                                                    • Opcode ID: 97d7af311c39c5dbb446c271b85a57e67b81ddc90acb4f22ddb8ec9fe0ac5938
                                                                    • Instruction ID: 2cf9010320b8565dc3cdfa80441e17496278743da212dd571bea7e3784426679
                                                                    • Opcode Fuzzy Hash: 97d7af311c39c5dbb446c271b85a57e67b81ddc90acb4f22ddb8ec9fe0ac5938
                                                                    • Instruction Fuzzy Hash: 0F71CE71240306AFCB15DF64C998BBDBBB5FF45308F14A66AE4668B282C771DE41CB80
                                                                    Function 03E30A6B Relevance: 7.7, APIs: 5, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E30A72
                                                                    • GetSysColor.USER32(00000014), ref: 03E30AB0
                                                                      • Part of subcall function 03E30A28: __EH_prolog3.LIBCMT ref: 03E30A2F
                                                                      • Part of subcall function 03E30A28: CreateSolidBrush.GDI32(?), ref: 03E30A4A
                                                                    • GetSysColor.USER32(00000010), ref: 03E30AC1
                                                                    • GetObjectA.GDI32(00000004,00000018,?), ref: 03E30B0A
                                                                      • Part of subcall function 03E308DC: SelectObject.GDI32(03E5E57F,03E5E57F), ref: 03E308E4
                                                                    • GetPixel.GDI32(?,00000000,00000000), ref: 03E30B8D
                                                                      • Part of subcall function 03E2FCFB: SetBkColor.GDI32(?,73A26180), ref: 03E2FD15
                                                                      • Part of subcall function 03E2FCFB: SetBkColor.GDI32(?,73A26180), ref: 03E2FD23
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Color$H_prolog3Object$BrushCreatePixelSelectSolid
                                                                    • String ID:
                                                                    • API String ID: 371136541-0
                                                                    • Opcode ID: a0537b949d2d43c89ba00c4d43557e212ef5834a04cd3a22243548aaab05254e
                                                                    • Instruction ID: eb3441e79940438d59f2ee3d3419f65eb5a8de39daa299d9abdbc351652efa6c
                                                                    • Opcode Fuzzy Hash: a0537b949d2d43c89ba00c4d43557e212ef5834a04cd3a22243548aaab05254e
                                                                    • Instruction Fuzzy Hash: EC81F3B5C0021DAEDF11EF94DC849EEBFB9EF09344F149229F516AA160CB314E52DB60
                                                                    Function 03E7F238 Relevance: 7.7, APIs: 5, Instructions: 178fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _sprintf.LIBCMT ref: 03E7F267
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,03E741D5,03E741B9,00000000), ref: 03E7F282
                                                                    • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 03E7F2B6
                                                                    • _memset.LIBCMT ref: 03E7F2F1
                                                                      • Part of subcall function 03E7EF86: DeviceIoControl.KERNEL32(03E7426B,0007C088,?,00000020,?,00000210,03E7F313,00000000), ref: 03E7EFDB
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E7F3FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ControlDevice$CloseCreateFileHandle_memset_sprintf
                                                                    • String ID:
                                                                    • API String ID: 3772931437-0
                                                                    • Opcode ID: 5cdcf245ae444a1f076bb2a79c623088831f645deb1fae0ed2416844741a9964
                                                                    • Instruction ID: bdb4d0b533774814b6de74af4ed248da823ed003f61d6ff0a86bd329253d0dcf
                                                                    • Opcode Fuzzy Hash: 5cdcf245ae444a1f076bb2a79c623088831f645deb1fae0ed2416844741a9964
                                                                    • Instruction Fuzzy Hash: B551037190029DAFDF11DFA4CC94AEFBBB9EF45304F1446A5E580FB141D670AA8ACB50
                                                                    Function 03E4533B Relevance: 7.7, APIs: 5, Instructions: 172COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __invoke_watson.LIBCMT ref: 03E4535A
                                                                      • Part of subcall function 03E3C74A: _memset.LIBCMT ref: 03E3C7D6
                                                                      • Part of subcall function 03E3C74A: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 03E3C7F4
                                                                      • Part of subcall function 03E3C74A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 03E3C7FE
                                                                      • Part of subcall function 03E3C74A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 03E3C808
                                                                      • Part of subcall function 03E3C74A: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 03E3C823
                                                                      • Part of subcall function 03E3C74A: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 03E3C82A
                                                                    • _cvtdate.LIBCMT ref: 03E453E6
                                                                    • _cvtdate.LIBCMT ref: 03E45443
                                                                    • _cvtdate.LIBCMT ref: 03E45481
                                                                    • _cvtdate.LIBCMT ref: 03E45499
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _cvtdate$ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate__invoke_watson_memset
                                                                    • String ID:
                                                                    • API String ID: 3518405098-0
                                                                    • Opcode ID: d72cdd1e0bd6c4943a739630aec7e1727b9cd83c53fdf776597fb908dff4e007
                                                                    • Instruction ID: 2047b7bceadfe2b67f9d91e3e8e10088fa6da074036231881299c02ab4af57fb
                                                                    • Opcode Fuzzy Hash: d72cdd1e0bd6c4943a739630aec7e1727b9cd83c53fdf776597fb908dff4e007
                                                                    • Instruction Fuzzy Hash: 3C51CEA2600525BBCB20EB56BD9097F77BDEB4E716B10A216F546C90C8F3B49880CB61
                                                                    Function 0044A131 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • getSystemCP.LIBCMT ref: 0044A14A
                                                                      • Part of subcall function 0044A0B7: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044A0C4
                                                                    • setSBCS.LIBCMT ref: 0044A15C
                                                                      • Part of subcall function 00449E34: _memset.LIBCMT ref: 00449E47
                                                                    • _memset.LIBCMT ref: 0044A1CD
                                                                    • setSBUpLow.LIBCMT ref: 0044A2A0
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Locale_memset$SystemUpdateUpdate::_
                                                                    • String ID:
                                                                    • API String ID: 880338414-0
                                                                    • Opcode ID: d9f6d8d89d16eddbf20d97d6bdd8bf5ee23efbd5db92b518c5b9c087325eb7ac
                                                                    • Instruction ID: b4e937db0a3e3a3ced2b9d375b08f739efba200c38bb6cb7058d9cf4e41def79
                                                                    • Opcode Fuzzy Hash: d9f6d8d89d16eddbf20d97d6bdd8bf5ee23efbd5db92b518c5b9c087325eb7ac
                                                                    • Instruction Fuzzy Hash: ED5135319402149BFF15CF65C8802BFBBA4FF05300F1480ABE8859F382D6BD8852EB96
                                                                    Function 0047F02D Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_sprintf
                                                                    • String ID:
                                                                    • API String ID: 891462717-0
                                                                    • Opcode ID: 6ad1b432ebfc512a36519ca0beb9639907f53bb8cd5f3355a3721421932bcdfe
                                                                    • Instruction ID: 85c53d9b52e5b5e1c2985409271061f7afbafd1b5ba7dab553e1df65f2eab926
                                                                    • Opcode Fuzzy Hash: 6ad1b432ebfc512a36519ca0beb9639907f53bb8cd5f3355a3721421932bcdfe
                                                                    • Instruction Fuzzy Hash: 5B51157190415CEADF21CF69CC45BEE7BBCEB15304F5484E6E948E6282C2388B48CF65
                                                                    Function 0049364E Relevance: 7.6, APIs: 5, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc_sprintf$__output_l_memset
                                                                    • String ID:
                                                                    • API String ID: 3237302599-0
                                                                    • Opcode ID: 24bd295d2421a1fb4c6bb532347d48c0b938d7b4981380b9b2d0673d6725be86
                                                                    • Instruction ID: d201a75761f995f000686b1a8771a8caf34e7df012947fe77ff63b5e67ebe1d0
                                                                    • Opcode Fuzzy Hash: 24bd295d2421a1fb4c6bb532347d48c0b938d7b4981380b9b2d0673d6725be86
                                                                    • Instruction Fuzzy Hash: D941C572900009BFCF11EFA8CC848EE7FB6EF0A314B1445AAF855E7251E6369F199B54
                                                                    Function 03E8AF3E Relevance: 7.6, APIs: 5, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc_sprintf$__output_l_memset
                                                                    • String ID:
                                                                    • API String ID: 3237302599-0
                                                                    • Opcode ID: 880b84e5636b4b83c088c9ed90b0434e69daac4d5cd5daf5fd88ab639f8b129b
                                                                    • Instruction ID: 192534a898433d134ad17fc146c152728d3ba9c1c3e03cbf69bb0b841b94ef81
                                                                    • Opcode Fuzzy Hash: 880b84e5636b4b83c088c9ed90b0434e69daac4d5cd5daf5fd88ab639f8b129b
                                                                    • Instruction Fuzzy Hash: 2741B676904209EFCF01EF74CC888EE7BB9EF05304B0452A5E85DEB251D6329A19DB40
                                                                    Function 004602D2 Relevance: 7.6, APIs: 5, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: fb892aca3c47e137e20e001921420551f63aac76dd6501eb420c2112d4ceb692
                                                                    • Instruction ID: b84fec181d68c304d34bc77c1c4fad95faea6a871e96d2228edcf53d95a8fac6
                                                                    • Opcode Fuzzy Hash: fb892aca3c47e137e20e001921420551f63aac76dd6501eb420c2112d4ceb692
                                                                    • Instruction Fuzzy Hash: 8D41B271200104AFCF28DF28CA948AF37A6EF80315714891EFC568B741EB34ED90CB6A
                                                                    Function 03E57BC2 Relevance: 7.6, APIs: 5, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: 4fa4ef63a6c356bf9e5edf2c8d2ad81216f9cad996c90cf91bb823da370fd5de
                                                                    • Instruction ID: d0f4e20ea062299baf8c1d8ab7bf5f6b19922646c000fc79c0ef2be867bf56b2
                                                                    • Opcode Fuzzy Hash: 4fa4ef63a6c356bf9e5edf2c8d2ad81216f9cad996c90cf91bb823da370fd5de
                                                                    • Instruction Fuzzy Hash: 3B419071600208AFDF28DF68D9848AE7BB6EF847507149B1DFC568B740DB30E960CBA5
                                                                    Function 0041F000 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_malloc
                                                                    • String ID:
                                                                    • API String ID: 1848352940-0
                                                                    • Opcode ID: dcd73be61c145e03bfb0faf82aaed39d6b038fa0bb82df0c9aa1c694b1c857f8
                                                                    • Instruction ID: 0c204a98b823711495739309fb86364e3ce1fd8c7e3f31e4d21588d19bba41dd
                                                                    • Opcode Fuzzy Hash: dcd73be61c145e03bfb0faf82aaed39d6b038fa0bb82df0c9aa1c694b1c857f8
                                                                    • Instruction Fuzzy Hash: 36416BB5D00208EFDB00DFA5C984EAEB7B5EB49304F2085A9E502A7351D779AE85CF91
                                                                    Function 0043BF2C Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __strdup$_strcat_s
                                                                    • String ID:
                                                                    • API String ID: 423726324-0
                                                                    • Opcode ID: 3cadb4fd33e3f9ae825be611d7b58b80ced31e1b46f911715aeb7a0354eda99e
                                                                    • Instruction ID: d2ade59524cdfe3f867d58f98e2aa0cf3235f70bb660c62a334bfac74aa53a43
                                                                    • Opcode Fuzzy Hash: 3cadb4fd33e3f9ae825be611d7b58b80ced31e1b46f911715aeb7a0354eda99e
                                                                    • Instruction Fuzzy Hash: 3D411D715003599FEB30DFA5CD85BEAB7E8EF08308F40582BF945D6641EB38EA448B65
                                                                    Function 004588ED Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: a77af8110a97aa1327edfaa6804ad9a56ba00e83d55789c7bdb83d361e60ee59
                                                                    • Instruction ID: 0740a680ea05c320b598870dfb6404063c1ec39ae9c6b40f98534f1f7c00c726
                                                                    • Opcode Fuzzy Hash: a77af8110a97aa1327edfaa6804ad9a56ba00e83d55789c7bdb83d361e60ee59
                                                                    • Instruction Fuzzy Hash: 9F4160B02001059FCF18CF59DA84D6E77A6EB81305B14490EFC52AB397CE34ED58CB6A
                                                                    Function 00468A4C Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0046835E: _strlen.LIBCMT ref: 0046839F
                                                                      • Part of subcall function 0046835E: _strlen.LIBCMT ref: 004683C1
                                                                      • Part of subcall function 0046835E: _strlen.LIBCMT ref: 004683CB
                                                                      • Part of subcall function 0046835E: _strlen.LIBCMT ref: 004683F8
                                                                      • Part of subcall function 0046835E: _strlen.LIBCMT ref: 00468404
                                                                    • _malloc.LIBCMT ref: 00468A82
                                                                      • Part of subcall function 0043E4A6: __FF_MSGBANNER.LIBCMT ref: 0043E4C9
                                                                    • _strlen.LIBCMT ref: 00468ABA
                                                                    • _strlen.LIBCMT ref: 00468ACD
                                                                    • _strlen.LIBCMT ref: 00468B01
                                                                    • _strlen.LIBCMT ref: 00468B2E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_malloc
                                                                    • String ID:
                                                                    • API String ID: 1848352940-0
                                                                    • Opcode ID: 2d8f61c80b5a1889fdaa29874b9ff43c6e18e0605473654abdbd03e8aecad07d
                                                                    • Instruction ID: 9f492b10fa5799ebf27532033a5877349f672fad87f6eb40c6dc5ed674cac0fc
                                                                    • Opcode Fuzzy Hash: 2d8f61c80b5a1889fdaa29874b9ff43c6e18e0605473654abdbd03e8aecad07d
                                                                    • Instruction Fuzzy Hash: 76316FB280011DBBDF11AFA5DC81DEF7B78EB04719F00456BF914A2191EA398E509B6A
                                                                    Function 03E501DD Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: char_traits$String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 1810552321-0
                                                                    • Opcode ID: 9dec27b70a275e8ba9f82d3af053e041ac8efed79d705dd935df81e4d23664a1
                                                                    • Instruction ID: e7f2e00ff00f56b10d1fb12dae6c29a547925437e1381d6bf82f72d235ea20c0
                                                                    • Opcode Fuzzy Hash: 9dec27b70a275e8ba9f82d3af053e041ac8efed79d705dd935df81e4d23664a1
                                                                    • Instruction Fuzzy Hash: 2C415C74600209AFDF18CF9CD984EAE77B6EF84304B149B59FC129B286DA30ED50CB65
                                                                    Function 03E6FF03 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp_strcat
                                                                    • String ID:
                                                                    • API String ID: 230057512-0
                                                                    • Opcode ID: 5de8a76159992dee1e503a5ab441788675393a1f0077ee224ad25ac48a5aee60
                                                                    • Instruction ID: 5c690eac962f78bffc54e0e415f2e159df929b92a8d47e6589db6d79da6dbd93
                                                                    • Opcode Fuzzy Hash: 5de8a76159992dee1e503a5ab441788675393a1f0077ee224ad25ac48a5aee60
                                                                    • Instruction Fuzzy Hash: AF3107B2500300BFDB10DF54DC80FEAB3ACAF46394F14666BE4599B181E772E956C790
                                                                    Function 03EC0C62 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03EC0C69
                                                                      • Part of subcall function 03E30669: __EH_prolog3.LIBCMT ref: 03E30670
                                                                      • Part of subcall function 03E2FD87: SetMapMode.GDI32(?,?), ref: 03E2FDA0
                                                                      • Part of subcall function 03E2FD87: SetMapMode.GDI32(?,?), ref: 03E2FDAE
                                                                    • LPtoDP.GDI32(?,00000018,00000001), ref: 03EC0CBB
                                                                    • LPtoDP.GDI32(?,?,00000001), ref: 03EC0CD3
                                                                    • LPtoDP.GDI32(?,?,00000001), ref: 03EC0CEB
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 03EC0D79
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3Mode$InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 226103122-0
                                                                    • Opcode ID: ac2ca3fe81461341eeb91db45618edfc767f900050ccbaa55363e4931ba4574e
                                                                    • Instruction ID: 8c3cabb2d88893a9f42e78bcb27a868af15f15912a47b3f7bd0af4c9f6763da5
                                                                    • Opcode Fuzzy Hash: ac2ca3fe81461341eeb91db45618edfc767f900050ccbaa55363e4931ba4574e
                                                                    • Instruction Fuzzy Hash: D241F4B4650B09CFDB21DF29C980A6ABBF5BF49704F104A6EE5969B760D7B0E801CF10
                                                                    Function 03E3F66E Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 03E3F683
                                                                      • Part of subcall function 03E3B67E: __mtinitlocknum.LIBCMT ref: 03E3B692
                                                                      • Part of subcall function 03E3B67E: __amsg_exit.LIBCMT ref: 03E3B69E
                                                                      • Part of subcall function 03E3B67E: RtlEnterCriticalSection.NTDLL(?), ref: 03E3B6A6
                                                                    • __mtinitlocknum.LIBCMT ref: 03E3F6C3
                                                                    • __malloc_crt.LIBCMT ref: 03E3F707
                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 03E3F72C
                                                                    • RtlEnterCriticalSection.NTDLL(03F7FC98), ref: 03E3F756
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                                                    • String ID:
                                                                    • API String ID: 1486408876-0
                                                                    • Opcode ID: cbc8d5e5a414d0eee6221b24539ed6e1d8e2aaa10bfabad25f984129c572d337
                                                                    • Instruction ID: d658c99e79c0131db9aa4ac5f53f4f11a6722e142dbe2a76449c9744d28f0523
                                                                    • Opcode Fuzzy Hash: cbc8d5e5a414d0eee6221b24539ed6e1d8e2aaa10bfabad25f984129c572d337
                                                                    • Instruction Fuzzy Hash: 8A31BE7AA0071A9FD720EFA8D498A69F3F4FF0A320B55525DE8519B290CB70E543CF40
                                                                    Function 03E32C65 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 03E32C84
                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 03E32CA3
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 03E32CC1
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 03E32D3C
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E32D47
                                                                      • Part of subcall function 03E24DB9: __EH_prolog3.LIBCMT ref: 03E24DC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
                                                                    • String ID:
                                                                    • API String ID: 301487041-0
                                                                    • Opcode ID: c0892a86d450991267230fd380c61178fa9050fc364d254dbb19c019657f73da
                                                                    • Instruction ID: 28c5759d1e28b93d80cf16fe2ce2e8033f1149d452f5f32ce0a2b92ddf834b5f
                                                                    • Opcode Fuzzy Hash: c0892a86d450991267230fd380c61178fa9050fc364d254dbb19c019657f73da
                                                                    • Instruction Fuzzy Hash: 1921B176D00219DBDB21EF54D845AFEB7B4EF05310F15032AED85AB280DB705E54CB91
                                                                    Function 03E86D00 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 03E86D10
                                                                    • GetProcessWindowStation.USER32 ref: 03E86D16
                                                                    • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 03E86D31
                                                                    • GetLastError.KERNEL32 ref: 03E86D3B
                                                                    • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 03E86D71
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: InformationObjectUserWindow$DesktopErrorLastProcessStation
                                                                    • String ID:
                                                                    • API String ID: 1078967293-0
                                                                    • Opcode ID: 47f507460b3d3647a1b40828f7160a965682dc78677472c6ade28fe4be41d09b
                                                                    • Instruction ID: 41bb40a701f88c2ba955fe4d17f8a8bab5628a7b100ba732bb5eb4ee021a0af4
                                                                    • Opcode Fuzzy Hash: 47f507460b3d3647a1b40828f7160a965682dc78677472c6ade28fe4be41d09b
                                                                    • Instruction Fuzzy Hash: 47110A31A41219EFDB20EBA5EC46B9FB77CEF40325F140361EA09D61C0D73199118690
                                                                    Function 03EC8123 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E2D50C: GetWindowLongA.USER32(?,000000F0), ref: 03E2D517
                                                                    • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 03EC8189
                                                                    • SendMessageA.USER32(?,00000086,00000000,00000000), ref: 03EC819E
                                                                    • GetDesktopWindow.USER32 ref: 03EC81A2
                                                                    • SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 03EC81CA
                                                                    • GetWindow.USER32(00000000), ref: 03EC81CF
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$DesktopLong
                                                                    • String ID:
                                                                    • API String ID: 2272707703-0
                                                                    • Opcode ID: f7969c4b4a2a14db88256e1d32345aedc0817a1ab7b0ed9362951f4e5dc144f0
                                                                    • Instruction ID: fb402e85fe95127e1ee6de8525c38ff7ebb18ab5c4f347ea584fc7c6021761ce
                                                                    • Opcode Fuzzy Hash: f7969c4b4a2a14db88256e1d32345aedc0817a1ab7b0ed9362951f4e5dc144f0
                                                                    • Instruction Fuzzy Hash: 801127323107656BE635EA25CF81FAFBBEDAF41758F05231CF6415A190CFA1D8128660
                                                                    Function 03E29099 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 03E290A7
                                                                    • GetWindowRect.USER32(00000000,?), ref: 03E290CD
                                                                    • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 03E290F8
                                                                    • GetWindow.USER32(00000005,00000005), ref: 03E29101
                                                                    • ScrollWindow.USER32(?,?,?,?,?), ref: 03E2911A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$RectScrollVisible
                                                                    • String ID:
                                                                    • API String ID: 2639402888-0
                                                                    • Opcode ID: 3b8c21120b0ae6efef7c0c31899506ef98a802e11952f64de59936e71190a41c
                                                                    • Instruction ID: 5fddebc489686b448494374b6b3dc2e28b387cd90a877bc35b8829f2f3785d02
                                                                    • Opcode Fuzzy Hash: 3b8c21120b0ae6efef7c0c31899506ef98a802e11952f64de59936e71190a41c
                                                                    • Instruction Fuzzy Hash: CC219D32200229AFCF15DF66DC48EBF7BB9FF48304F045619F90692151E771A820CB50
                                                                    Function 004C6300 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf$__output_l
                                                                    • String ID:
                                                                    • API String ID: 1830584065-0
                                                                    • Opcode ID: 4b403e35fc72ba0297c397d1f62d53dc505f94fd8041565665a82fe8812a5983
                                                                    • Instruction ID: be573ce98e20830d3864d1fbff11f3b81478e8d243adc42fc6336768656e182d
                                                                    • Opcode Fuzzy Hash: 4b403e35fc72ba0297c397d1f62d53dc505f94fd8041565665a82fe8812a5983
                                                                    • Instruction Fuzzy Hash: 351193B6A001407BF614A7658C01FF632D5EB98309F45D67EF806A7232EFBE44648276
                                                                    Function 03EBDBF0 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf$__output_l
                                                                    • String ID:
                                                                    • API String ID: 1830584065-0
                                                                    • Opcode ID: ac54bb664ff87c9899dc091dea82cbaf65a8e181ae60c1847a9d061eb7a73242
                                                                    • Instruction ID: 9975fd668d6d1a42cd964eedae8d9664acee1098b20f42744c8cb7228314d03b
                                                                    • Opcode Fuzzy Hash: ac54bb664ff87c9899dc091dea82cbaf65a8e181ae60c1847a9d061eb7a73242
                                                                    • Instruction Fuzzy Hash: 8311E7BDA903017FDA41EF549C07EDB3274BB5EA05F085715FA191A202EAF5D428CA62
                                                                    Function 03E2EF3C Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlen.KERNEL32(?), ref: 03E2EF66
                                                                    • _memset.LIBCMT ref: 03E2EF83
                                                                    • GetWindowTextA.USER32(?,00000000,00000100), ref: 03E2EF9D
                                                                    • lstrcmp.KERNEL32(00000000,?), ref: 03E2EFAF
                                                                    • SetWindowTextA.USER32(?,?), ref: 03E2EFBB
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                                                    • String ID:
                                                                    • API String ID: 4273134663-0
                                                                    • Opcode ID: 28acea157ac32b9ec0940d0775820c7d790a2d8bf48127e4ddbb4ea9f20d19c6
                                                                    • Instruction ID: a57926e818fb24da3e6fd4137556d3f31435955dc33c98aaf451d4d06f4ad2fa
                                                                    • Opcode Fuzzy Hash: 28acea157ac32b9ec0940d0775820c7d790a2d8bf48127e4ddbb4ea9f20d19c6
                                                                    • Instruction Fuzzy Hash: 6101F9B5A0123867DB10EB75EC84BDF7B7CEF59344F041165E946E7140DA70D9448BA0
                                                                    Function 03E18B71 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowA.USER32(00000000,?), ref: 03E18B8C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FindWindow
                                                                    • String ID:
                                                                    • API String ID: 134000473-0
                                                                    • Opcode ID: 79d2491e2eb7da174d039aa9a94eb7d96f75be56ee682e735c032a83525ea8f1
                                                                    • Instruction ID: 7fddb859847a046e00fb10532881d7813a1623eabe12de47ebab567700042334
                                                                    • Opcode Fuzzy Hash: 79d2491e2eb7da174d039aa9a94eb7d96f75be56ee682e735c032a83525ea8f1
                                                                    • Instruction Fuzzy Hash: D011DBB9905218EFCB00EFA4D888BAFBBB8FF08305F009A58E512E7240D7749650CB60
                                                                    Function 03E79555 Relevance: 7.5, APIs: 5, Instructions: 43sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowA.USER32(03F48B84,00000000), ref: 03E79573
                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 03E795A4
                                                                    • Sleep.KERNEL32(000000FA), ref: 03E795AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePeekSleepWindow
                                                                    • String ID:
                                                                    • API String ID: 2814917012-0
                                                                    • Opcode ID: 1b045236874e9534538db30a2791e83dc0008ea1d832061838f4025d36ed37c6
                                                                    • Instruction ID: f4c2b2f7d537c3b3fd96193988fca3fb21133d050c16d727a8e0ddd047163e88
                                                                    • Opcode Fuzzy Hash: 1b045236874e9534538db30a2791e83dc0008ea1d832061838f4025d36ed37c6
                                                                    • Instruction Fuzzy Hash: ACF0AF72A00229ABCF10FBA6EC08DAB7B7CEF85B88B040611F916D204AE334D001CB70
                                                                    Function 03E5C167 Relevance: 7.5, APIs: 5, Instructions: 31threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,00002710), ref: 03E5C17D
                                                                    • TerminateThread.KERNEL32(?,00000000), ref: 03E5C195
                                                                    • CloseHandle.KERNEL32(?), ref: 03E5C1A1
                                                                    • GetExitCodeThread.KERNEL32(?,00000000), ref: 03E5C1B7
                                                                    • CloseHandle.KERNEL32(?), ref: 03E5C1C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleThread$CodeExitObjectSingleTerminateWait
                                                                    • String ID:
                                                                    • API String ID: 4081928577-0
                                                                    • Opcode ID: 5ccc2b06f587a42d5d86fde9c065af156fd952d0b8886be10cd50fff24762fa1
                                                                    • Instruction ID: 7e09a064610f94b39c1db8a52e43cdf59299ac5bb67f482c1e21bb6c8441c3dd
                                                                    • Opcode Fuzzy Hash: 5ccc2b06f587a42d5d86fde9c065af156fd952d0b8886be10cd50fff24762fa1
                                                                    • Instruction Fuzzy Hash: 94F0BE30001210EFEB50AB25EC09BDEBBBAFF00350F201629F85AE20B4CB716E60DB40
                                                                    Function 03E26CC8 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000014), ref: 03E26CFB
                                                                    • GetSysColor.USER32(00000012), ref: 03E26D02
                                                                    • GetSysColor.USER32(00000006), ref: 03E26D09
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 03E26D16
                                                                    • GetSysColorBrush.USER32(00000006), ref: 03E26D1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Brush
                                                                    • String ID:
                                                                    • API String ID: 2798902688-0
                                                                    • Opcode ID: afcb46dbc8bc4b49b42629667daf3db6c7811a61918a4a72f15ab82386620a49
                                                                    • Instruction ID: cffa3e4dc1c498b9c7590823d37fc6ccfa629ef26c76ab2da91a56901f68e9a5
                                                                    • Opcode Fuzzy Hash: afcb46dbc8bc4b49b42629667daf3db6c7811a61918a4a72f15ab82386620a49
                                                                    • Instruction Fuzzy Hash: 60F05871A417849BDB20FB729949B06BFA1FFC0710F060A6ED1858B981E6B2A010CF10
                                                                    Function 00437EEA Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00437EF5
                                                                      • Part of subcall function 0042D4C9: __EH_prolog3.LIBCMT ref: 0042D4D0
                                                                    • _memset.LIBCMT ref: 00437F2D
                                                                      • Part of subcall function 0042C8F2: _strlen.LIBCMT ref: 0042C905
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$_memset_strlen
                                                                    • String ID: 0$@
                                                                    • API String ID: 345007730-1545510068
                                                                    • Opcode ID: bc3fb6aa54f213b25d0f54a0f05b6c48e07386748a798492c9c8f54981eda9c1
                                                                    • Instruction ID: 8d8d00e2f737295a87e84c6df8577c5e65a80b1e83fa1353297bc60bfdeeb675
                                                                    • Opcode Fuzzy Hash: bc3fb6aa54f213b25d0f54a0f05b6c48e07386748a798492c9c8f54981eda9c1
                                                                    • Instruction Fuzzy Hash: B0F135B1600248EFDF14DFA9C989EAEBBA9FF48304F04515AFE1587291DB39E841CB54
                                                                    Function 03E65B2D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E65B34
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E65B5D
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E65B72
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    Strings
                                                                    • invalid map/set<T> iterator, xrefs: 03E65B45
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: invalid map/set<T> iterator
                                                                    • API String ID: 1048600877-152884079
                                                                    • Opcode ID: 89912bcaef3766db2112b7c1344037d59a8f9fbe029932ac3a601db055b0cc3b
                                                                    • Instruction ID: af2cbda08700c2ddf0eb28ce9a0be111f70ab079c8d6aa341b5cd3fe8701f50d
                                                                    • Opcode Fuzzy Hash: 89912bcaef3766db2112b7c1344037d59a8f9fbe029932ac3a601db055b0cc3b
                                                                    • Instruction Fuzzy Hash: 6BA14574A452819FD721CB28C198BA5BFB5AF46388F1CA5CCC1894F2D2D7B6E885CB50
                                                                    Function 03E4DFCC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E4DFD3
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E4DFFC
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E4E011
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    Strings
                                                                    • invalid map/set<T> iterator, xrefs: 03E4DFE4
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: invalid map/set<T> iterator
                                                                    • API String ID: 1048600877-152884079
                                                                    • Opcode ID: 6408eed05c45a4490642abf5a1ddaae93e0e1cb406308229bc1680de34fb66dc
                                                                    • Instruction ID: 2fb6ace3c25779103a1296760784607ad82de25d8b4b8e5f8ddbbcbb3dd3f3c9
                                                                    • Opcode Fuzzy Hash: 6408eed05c45a4490642abf5a1ddaae93e0e1cb406308229bc1680de34fb66dc
                                                                    • Instruction Fuzzy Hash: C1A136B09082909FD711CB28D184BA5BBA6BB8D308F1CD69DD4994F392C7B2E885CF54
                                                                    Function 03E65E80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E65E87
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E65EB0
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E65EC5
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    Strings
                                                                    • invalid map/set<T> iterator, xrefs: 03E65E98
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: invalid map/set<T> iterator
                                                                    • API String ID: 1048600877-152884079
                                                                    • Opcode ID: 748b80cd6b359863d627b507bc3490acfe9bdc014e260aa93f978ade611fe911
                                                                    • Instruction ID: 397503032f9896aca49ba31ac40343185ca6e9da0a27762258996fde9a79b356
                                                                    • Opcode Fuzzy Hash: 748b80cd6b359863d627b507bc3490acfe9bdc014e260aa93f978ade611fe911
                                                                    • Instruction Fuzzy Hash: 98A17D746452809FDB25CF24C188B6ABFF9AF06348F1892DCD4855F392C7B1E985CBA1
                                                                    Function 03E66212 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E66219
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E66241
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E66256
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: map/set<T> too long
                                                                    • API String ID: 1048600877-1285458680
                                                                    • Opcode ID: 41b9089f20cd97ac295101822f6dc206d6eef9aaad58b58bbb179a2aa8e90410
                                                                    • Instruction ID: 1b297fb283e5014c27c3f3dbd65daacbea6d7eaf5884207a1e6ad5612915cae7
                                                                    • Opcode Fuzzy Hash: 41b9089f20cd97ac295101822f6dc206d6eef9aaad58b58bbb179a2aa8e90410
                                                                    • Instruction Fuzzy Hash: 63517A74650240AFCB21DF58C284AA9FBF5BF4A344F09A288E55A5F352C7B5FC41CB90
                                                                    Function 03E88931 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E8895C
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _memset.LIBCMT ref: 03E88977
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_malloc_memset
                                                                    • String ID: <?xml$xml=
                                                                    • API String ID: 2365696598-3251264668
                                                                    • Opcode ID: 00dc12a1cc1284dc77818ef2ca162e2bbc224de9a65cd76be28455d27849bfcd
                                                                    • Instruction ID: 595f6de2ae1e169216b17d7736d67919fb943b67230f7a177a5d16fdceda1dae
                                                                    • Opcode Fuzzy Hash: 00dc12a1cc1284dc77818ef2ca162e2bbc224de9a65cd76be28455d27849bfcd
                                                                    • Instruction Fuzzy Hash: 5B31C136D00204BBDF12EF648C45BEF3B7AEF46254F141294FD0DAB291E6328A158791
                                                                    Function 00428841 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw_malloc
                                                                    • String ID: 8uB$8uB
                                                                    • API String ID: 3476970888-2962129502
                                                                    • Opcode ID: 7886b35898df2f4984e281f4b640ec3e28fd30df23fb251d4b547eb5b61f97e9
                                                                    • Instruction ID: d5b0b2bec2c3949f9b72858ab5743abfe5e842042388b7ddfa2ba044f8e7d902
                                                                    • Opcode Fuzzy Hash: 7886b35898df2f4984e281f4b640ec3e28fd30df23fb251d4b547eb5b61f97e9
                                                                    • Instruction Fuzzy Hash: B9411AB4E002089FDB04DFA5D981AEEBBF1BF48314F148169E805A7341D739AE41CFA5
                                                                    Function 03E73E7A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E73E9E
                                                                      • Part of subcall function 03E7DA91: RegOpenKeyExA.ADVAPI32(80000002,03F494C4,00000000,00020019,?), ref: 03E7DAB7
                                                                      • Part of subcall function 03E7CCFF: _memset.LIBCMT ref: 03E7CD1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$Open
                                                                    • String ID: @$Model$Win32_BIOS
                                                                    • API String ID: 1312665934-3821600815
                                                                    • Opcode ID: b2aa11bc8ba8623b173e07c29084178c6ed465700d9fe6a601dc32077799a95e
                                                                    • Instruction ID: f6dd98d80740809f0434d8999688ef98de3b2064684c2860ac6f61f4b219c877
                                                                    • Opcode Fuzzy Hash: b2aa11bc8ba8623b173e07c29084178c6ed465700d9fe6a601dc32077799a95e
                                                                    • Instruction Fuzzy Hash: 95215BBA6443283ECB24F6685DC1DDF6E7CDB01AE8F242756F529F5143E431C60562E1
                                                                    Function 03E77998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(03F48958), ref: 03E779AE
                                                                    • GetProcAddress.KERNEL32(00000000,03F4899C), ref: 03E779C4
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 03E779D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: \System32\
                                                                    • API String ID: 145871493-3293559133
                                                                    • Opcode ID: d2e2941f7ca492d678d2cd3d74b235a42838e1c2caa7e1dd8062dd10567d38da
                                                                    • Instruction ID: 14dceb89b1c8faa40f26bae2259a79682082559d2854838bf41a6223bb36e66f
                                                                    • Opcode Fuzzy Hash: d2e2941f7ca492d678d2cd3d74b235a42838e1c2caa7e1dd8062dd10567d38da
                                                                    • Instruction Fuzzy Hash: 96118C302042665BDB12DB389C54AF7BFBD9F52748F0556D0ECC6D7301EAB1D9848790
                                                                    Function 03E7E4D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,40000000,00000000), ref: 03E7E522
                                                                    • CloseHandle.KERNEL32(00000000), ref: 03E7E534
                                                                    • GetLastError.KERNEL32 ref: 03E7E53F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateErrorFileHandleLast
                                                                    • String ID: \\.\
                                                                    • API String ID: 2528220319-2900601889
                                                                    • Opcode ID: 8cd76365631b191d4c8f30e7f9907513766da0aa8990917119500bba59dccdc1
                                                                    • Instruction ID: 38f1230279e9b2649bad8bb3adf5d992dc16d09b3f59038cc1e24aaf0732c390
                                                                    • Opcode Fuzzy Hash: 8cd76365631b191d4c8f30e7f9907513766da0aa8990917119500bba59dccdc1
                                                                    • Instruction Fuzzy Hash: 0101D1216003192BDB21EA39AD19BABBBE99F81759F540790F946EB184EBA0D90482D0
                                                                    Function 03E2B751 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E258A0: RtlEnterCriticalSection.NTDLL(03F77770), ref: 03E258DC
                                                                      • Part of subcall function 03E258A0: RtlInitializeCriticalSection.NTDLL(?), ref: 03E258EB
                                                                      • Part of subcall function 03E258A0: RtlLeaveCriticalSection.NTDLL(03F77770), ref: 03E258F8
                                                                      • Part of subcall function 03E258A0: RtlEnterCriticalSection.NTDLL(?), ref: 03E25904
                                                                      • Part of subcall function 03E2433A: __EH_prolog3_catch.LIBCMT ref: 03E24341
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 03E2B795
                                                                    • FreeLibrary.KERNEL32(?), ref: 03E2B7A5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                                                                    • String ID: HtmlHelpA$hhctrl.ocx
                                                                    • API String ID: 2853499158-63838506
                                                                    • Opcode ID: de7b41fa19ed01e1aa0d108bc6bf753e9d48f63e9d94cb50c7c6a1d8342ab05d
                                                                    • Instruction ID: 230ec742e194afcafed2c007cce64dc80f8b4804205d345a24224733108be45c
                                                                    • Opcode Fuzzy Hash: de7b41fa19ed01e1aa0d108bc6bf753e9d48f63e9d94cb50c7c6a1d8342ab05d
                                                                    • Instruction Fuzzy Hash: A001D131140B33AEDB21EF61EE48B5B7FE4EF00B15F00AF28F456A9650D76084508B12
                                                                    Function 03E26A71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?), ref: 03E26A98
                                                                    • GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 03E26AA8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
                                                                    • API String ID: 1646373207-2500072749
                                                                    • Opcode ID: 3ed6dc1ff5858e556e59dc19d6c31d7a1b6e42bd626d358c2c1844e1b2ce79ed
                                                                    • Instruction ID: 45b67baa569e379a99819e6a7fe9818b8e3ca201c474907e184f3e55c7c00495
                                                                    • Opcode Fuzzy Hash: 3ed6dc1ff5858e556e59dc19d6c31d7a1b6e42bd626d358c2c1844e1b2ce79ed
                                                                    • Instruction Fuzzy Hash: 23F0A7B1B00218AB9700EFB9AD498AFFBBCFF9A2457015A29F811E7141CAB0D501C6A0
                                                                    Function 03E63874 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E6387B
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E63898
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E638AD
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                      • Part of subcall function 03E63759: __EH_prolog3_catch.LIBCMT ref: 03E63760
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8H_prolog3_catchRaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: vector<T> too long
                                                                    • API String ID: 105499203-3788999226
                                                                    • Opcode ID: a0ce0988d43a25f68a0e7afe600a9b8bb14f4bb49e9989b5bc322ffe00121a9d
                                                                    • Instruction ID: 1cef6e877f5ac02e6b80fa111a3b310560b7ada0a2ae1f7a21ca40815e7852c6
                                                                    • Opcode Fuzzy Hash: a0ce0988d43a25f68a0e7afe600a9b8bb14f4bb49e9989b5bc322ffe00121a9d
                                                                    • Instruction Fuzzy Hash: B9F0E7BA95020CBBCF01EFD4CD419DE7B7AAF08350F501254F615AA111EBB19A54DB60
                                                                    Function 004C0C80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: 'L
                                                                    • API String ID: 2102423945-1100884802
                                                                    • Opcode ID: aa15b4f3459eae3299f5fbd3d6f7af123b438d030c2cf3080f1bd02006e66873
                                                                    • Instruction ID: 8a47165e4140949a184883144b60b4ad669a55646cfb4737ded3f4993d991ec4
                                                                    • Opcode Fuzzy Hash: aa15b4f3459eae3299f5fbd3d6f7af123b438d030c2cf3080f1bd02006e66873
                                                                    • Instruction Fuzzy Hash: 8AE08CB1149B2066E670AB229C0BF8772A86B18B04F500C0DB3493E0C0C7BDB484875D
                                                                    Function 03E4D3A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E4D3B0
                                                                    • std::runtime_error::runtime_error.LIBCPMT ref: 03E4D3CD
                                                                      • Part of subcall function 03E4C56E: __EH_prolog3.LIBCMT ref: 03E4C575
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E4D3E2
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
                                                                    • String ID: vector<T> too long
                                                                    • API String ID: 1048600877-3788999226
                                                                    • Opcode ID: 5e1916c0c9e154a22494faab4883227177ed107ae7dbdf33bd305e009462ec53
                                                                    • Instruction ID: 66f8ad91226b7198a08ba0f17cb04e6f7d99b635f1b3d129fd08d1e6752172f7
                                                                    • Opcode Fuzzy Hash: 5e1916c0c9e154a22494faab4883227177ed107ae7dbdf33bd305e009462ec53
                                                                    • Instruction Fuzzy Hash: E7E0EC7695121CAACB00EBD0C885EDD7779BF08740F502219E211AE146EFB09648C724
                                                                    Function 0046863B Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf1b7fa943a02a6ee525d3a951a642ff2269e77773f8a6aa42a6be34e8e5a0d4
                                                                    • Instruction ID: af9511ae008f9391e5a9aab184362ba4d546f78d9a744d4f9fc9f4b00a1fa3c6
                                                                    • Opcode Fuzzy Hash: cf1b7fa943a02a6ee525d3a951a642ff2269e77773f8a6aa42a6be34e8e5a0d4
                                                                    • Instruction Fuzzy Hash: 95B1C3B05083418FC7348F29C881677B7A9FBA5304F241A2FE5C687356EA7D9846CB5B
                                                                    Function 03E30CE8 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E30CEF
                                                                    • GetObjectA.GDI32(00000004,00000018,00000000), ref: 03E30D88
                                                                      • Part of subcall function 03E30877: CreatePatternBrush.GDI32(00000000), ref: 03E30886
                                                                      • Part of subcall function 03E30861: DeleteObject.GDI32(00000000), ref: 03E30870
                                                                      • Part of subcall function 03E308DC: SelectObject.GDI32(03E5E57F,03E5E57F), ref: 03E308E4
                                                                    • GetPixel.GDI32(?,00000000,00000000), ref: 03E30E3B
                                                                      • Part of subcall function 03E2FCFB: SetBkColor.GDI32(?,73A26180), ref: 03E2FD15
                                                                      • Part of subcall function 03E2FCFB: SetBkColor.GDI32(?,73A26180), ref: 03E2FD23
                                                                    • FillRect.USER32(?,?,?), ref: 03E30EEF
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Color$BrushCreateDeleteFillH_prolog3PatternPixelRectSelect
                                                                    • String ID:
                                                                    • API String ID: 83244786-0
                                                                    • Opcode ID: 406564b986ada134b42a54c1ca465b891a1e69a813c7281cba5373c4e05e99e7
                                                                    • Instruction ID: 43538625a869f835f82e088d4813d14c7c4e14b12dec6a114ac17c130b99ae9d
                                                                    • Opcode Fuzzy Hash: 406564b986ada134b42a54c1ca465b891a1e69a813c7281cba5373c4e05e99e7
                                                                    • Instruction Fuzzy Hash: BF91E3B5C0021DAEDF11EFA5DC88DEEBFB9FF09240F149229E516A6160DB314D15DB60
                                                                    Function 0046B166 Relevance: 6.2, APIs: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0046B185
                                                                    • _memset.LIBCMT ref: 0046B1AB
                                                                    • _memset.LIBCMT ref: 0046B1BF
                                                                    • _memset.LIBCMT ref: 0046B1E2
                                                                      • Part of subcall function 0046957E: _memset.LIBCMT ref: 004695B6
                                                                      • Part of subcall function 00454FB2: _strlen.LIBCMT ref: 00454FB9
                                                                      • Part of subcall function 0046F16E: __EH_prolog3_GS.LIBCMT ref: 0046F175
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3H_prolog3__strlen
                                                                    • String ID:
                                                                    • API String ID: 2299023779-0
                                                                    • Opcode ID: ff7e615134d64dd738b6c84a12e3fe45378cf0d797ef4068d1a29ad102848808
                                                                    • Instruction ID: e0108eb8fc9835c22f7a28477f529867606f2609bd91e80d50804531dc5f67be
                                                                    • Opcode Fuzzy Hash: ff7e615134d64dd738b6c84a12e3fe45378cf0d797ef4068d1a29ad102848808
                                                                    • Instruction Fuzzy Hash: DB8150B250024CBEDB21DF95CC85EEEB7ACEF18304F40451EBA1A96181DB359A48CB79
                                                                    Function 0046B42F Relevance: 6.2, APIs: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0046B44E
                                                                    • _memset.LIBCMT ref: 0046B47F
                                                                    • _memset.LIBCMT ref: 0046B493
                                                                    • _memset.LIBCMT ref: 0046B4B6
                                                                      • Part of subcall function 0046957E: _memset.LIBCMT ref: 004695B6
                                                                      • Part of subcall function 00454FB2: _strlen.LIBCMT ref: 00454FB9
                                                                      • Part of subcall function 0046F16E: __EH_prolog3_GS.LIBCMT ref: 0046F175
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$H_prolog3H_prolog3__strlen
                                                                    • String ID:
                                                                    • API String ID: 2299023779-0
                                                                    • Opcode ID: 44b3a910e75f39b81ab9c5b6d923193dff2eacdd5e989a05234099624f614777
                                                                    • Instruction ID: 45d1f5df47e049f9c2152b0b5842df745f20f5892e5d18107e00b98878f202a1
                                                                    • Opcode Fuzzy Hash: 44b3a910e75f39b81ab9c5b6d923193dff2eacdd5e989a05234099624f614777
                                                                    • Instruction Fuzzy Hash: D7814FB250024CBADB25DF95CC85EEEB7ACEF18304F40451EBA1996181DB359A48CB75
                                                                    Function 00422531 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 004225A9
                                                                      • Part of subcall function 0043E4A6: __FF_MSGBANNER.LIBCMT ref: 0043E4C9
                                                                    • _malloc.LIBCMT ref: 00422641
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc
                                                                    • String ID:
                                                                    • API String ID: 1579825452-0
                                                                    • Opcode ID: 659bf0af6fefb896f747dcf39d784a197c3a552ce7a01f8d53b901e29849b622
                                                                    • Instruction ID: 34206d5e77b83f95016109e49673e18cd7cfcd9f8f7b85368e0f618eb3274492
                                                                    • Opcode Fuzzy Hash: 659bf0af6fefb896f747dcf39d784a197c3a552ce7a01f8d53b901e29849b622
                                                                    • Instruction Fuzzy Hash: F7A190B8E00209EFDB04CF94D594A9DFBB1FB48314F24C59AE819AB341D775AA81CF84
                                                                    Function 03E19E21 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 03E19E99
                                                                      • Part of subcall function 03E35D96: __FF_MSGBANNER.LIBCMT ref: 03E35DB9
                                                                      • Part of subcall function 03E35D96: RtlAllocateHeap.NTDLL(00000000,03E11FB5), ref: 03E35E0E
                                                                    • _malloc.LIBCMT ref: 03E19F31
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 680241177-0
                                                                    • Opcode ID: 8cbdfe624649ff5ee537d9954c8e321af60e2786466fe4a3751684eb2ed44e2c
                                                                    • Instruction ID: c573395d80c86e1433bed610b4f3d67568bba7fda1cdc03275051e1dc0ba3c25
                                                                    • Opcode Fuzzy Hash: 8cbdfe624649ff5ee537d9954c8e321af60e2786466fe4a3751684eb2ed44e2c
                                                                    • Instruction Fuzzy Hash: 49A162B8E00209EFDB04CF94C494AADFBB1FB48314F14D699E819AB341D775EA91CB80
                                                                    Function 0044DA4B Relevance: 6.2, APIs: 4, Instructions: 172COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _cvtdate
                                                                    • String ID:
                                                                    • API String ID: 159983822-0
                                                                    • Opcode ID: 5bdf6cea6867440982f2240dc7227c61c1d2c09849e6c27db190c603863a6835
                                                                    • Instruction ID: 61eedd16e13f3feda5e1147585869bc26f4c809f3cff9a0d20af8d6592257259
                                                                    • Opcode Fuzzy Hash: 5bdf6cea6867440982f2240dc7227c61c1d2c09849e6c27db190c603863a6835
                                                                    • Instruction Fuzzy Hash: C951DFF2E00131BEEB208B468DC593B77EDF749744B10815BF905C6598E2FCA981D7A9
                                                                    Function 0045822C Relevance: 6.2, APIs: 4, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0045824B
                                                                    • _memset.LIBCMT ref: 00458268
                                                                    • _memset.LIBCMT ref: 00458284
                                                                    • _memset.LIBCMT ref: 004582A1
                                                                      • Part of subcall function 004581C3: _strlen.LIBCMT ref: 004581CA
                                                                      • Part of subcall function 00454EAA: std::_String_base::_Xlen.LIBCPMT ref: 00454EBF
                                                                      • Part of subcall function 00455A3A: _strlen.LIBCMT ref: 00455A41
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strlen$H_prolog3String_base::_Xlenstd::_
                                                                    • String ID:
                                                                    • API String ID: 625651370-0
                                                                    • Opcode ID: 44c3712a4a0ea1dc130eeba10ca4bd9822fa2963ae60c49d48d8d1e40bc7b877
                                                                    • Instruction ID: 25df07556cc573405ccd77e8ef307d07f0b117a9f0471ad8db1bf6235624aa5b
                                                                    • Opcode Fuzzy Hash: 44c3712a4a0ea1dc130eeba10ca4bd9822fa2963ae60c49d48d8d1e40bc7b877
                                                                    • Instruction Fuzzy Hash: 005170B1500158ABDB15EF55CC91AFF77ACAF18709F40412EBD16A7282DF385F098BA8
                                                                    Function 03E215D0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _calloc.LIBCMT ref: 03E21604
                                                                    • RtlInitializeCriticalSection.NTDLL(-00000028), ref: 03E21623
                                                                    • _calloc.LIBCMT ref: 03E216A6
                                                                      • Part of subcall function 03E36687: __calloc_impl.LIBCMT ref: 03E3669A
                                                                    • _calloc.LIBCMT ref: 03E21714
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _calloc$CriticalInitializeSection__calloc_impl
                                                                    • String ID:
                                                                    • API String ID: 426664258-0
                                                                    • Opcode ID: aff4eb3e43c9faff164a7853e808a55c68e4e2aede2077492d02a85d6b7b9c75
                                                                    • Instruction ID: 8f1beee9ac534c075510d3696c1585c48d246fb4e289c016f562645a04c0176e
                                                                    • Opcode Fuzzy Hash: aff4eb3e43c9faff164a7853e808a55c68e4e2aede2077492d02a85d6b7b9c75
                                                                    • Instruction Fuzzy Hash: B8618878E00209EFCB04CF98C494A9DFBB1FF89314F148699D819AB345D771EA91CB94
                                                                    Function 004809CE Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc_memset
                                                                    • String ID:
                                                                    • API String ID: 4137368368-0
                                                                    • Opcode ID: 65ba0abd00ccaccb4dc4df0fe2aa43fb8e3109849c866a618636785ce7bbe35e
                                                                    • Instruction ID: a55f160216a68c43cb1ac3c1c57cb3de9de1ce525d8b2093d656d82bfaeae293
                                                                    • Opcode Fuzzy Hash: 65ba0abd00ccaccb4dc4df0fe2aa43fb8e3109849c866a618636785ce7bbe35e
                                                                    • Instruction Fuzzy Hash: 81412331510106AFCB56EF689C99EFE3BA9DF16304F044556FC95DB241DA3ACA0CC788
                                                                    Function 03E782BE Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc_memset
                                                                    • String ID:
                                                                    • API String ID: 4137368368-0
                                                                    • Opcode ID: 267a596420bd91d0679eaa7fee9d2060d593a183b3add6c15d566ab8cf6b0794
                                                                    • Instruction ID: 25eb5c60485913192f1daa816c5fc48ca701d2f13847c14670299321cc92eb8a
                                                                    • Opcode Fuzzy Hash: 267a596420bd91d0679eaa7fee9d2060d593a183b3add6c15d566ab8cf6b0794
                                                                    • Instruction Fuzzy Hash: E441D476500246BFCB16DF6C9C9DAFA7BBADF16204B085394FC59CB250DA32DA09C784
                                                                    Function 0045C922 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 0045C939
                                                                    • _strlen.LIBCMT ref: 0045C95B
                                                                      • Part of subcall function 00436680: _memmove_s.LIBCMT ref: 00436690
                                                                      • Part of subcall function 0042C82E: _memcpy_s.LIBCMT ref: 0042C83E
                                                                      • Part of subcall function 004D90D5: __mbsstr_l.LIBCMT ref: 004D90DF
                                                                    • _strlen.LIBCMT ref: 0045C99B
                                                                    • _strlen.LIBCMT ref: 0045CA5C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$__mbsstr_l_memcpy_s_memmove_s
                                                                    • String ID:
                                                                    • API String ID: 51393532-0
                                                                    • Opcode ID: 80c82c4ddc3a715f76fa5a2d507a8f7bae74d58c877bd8494c60635d11f09bf0
                                                                    • Instruction ID: 01dc7f0b5e3c66b3153f3830d8ce32c35f563947f9e90ac798a4a0c18c714101
                                                                    • Opcode Fuzzy Hash: 80c82c4ddc3a715f76fa5a2d507a8f7bae74d58c877bd8494c60635d11f09bf0
                                                                    • Instruction Fuzzy Hash: 22418D72D00229EFCF11DFA9D881AAEBBB5AF48715F14401BEC04B7202D7389E45DB98
                                                                    Function 03E54212 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 03E54229
                                                                    • _strlen.LIBCMT ref: 03E5424B
                                                                      • Part of subcall function 03E2DF70: _memmove_s.LIBCMT ref: 03E2DF80
                                                                      • Part of subcall function 03E2411E: _memcpy_s.LIBCMT ref: 03E2412E
                                                                      • Part of subcall function 03ED09C5: __mbsstr_l.LIBCMT ref: 03ED09CF
                                                                    • _strlen.LIBCMT ref: 03E5428B
                                                                    • _strlen.LIBCMT ref: 03E5434C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$__mbsstr_l_memcpy_s_memmove_s
                                                                    • String ID:
                                                                    • API String ID: 51393532-0
                                                                    • Opcode ID: 80c82c4ddc3a715f76fa5a2d507a8f7bae74d58c877bd8494c60635d11f09bf0
                                                                    • Instruction ID: 4fc6dfc2eb0b90fc613aa4879f18a6415e095f57e0d765dcc061061c9a60975a
                                                                    • Opcode Fuzzy Hash: 80c82c4ddc3a715f76fa5a2d507a8f7bae74d58c877bd8494c60635d11f09bf0
                                                                    • Instruction Fuzzy Hash: 93416076D00229EBCF11DFAAC9809EEFBB5AF48714F14525AEC15BB240D7306A81CF94
                                                                    Function 0048739F Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc$_memset_sprintf
                                                                    • String ID:
                                                                    • API String ID: 1112014273-0
                                                                    • Opcode ID: 4ad42296586c5e7d0d25847f931ce3d23e4187385dabb17e4afcdb82b541dc5b
                                                                    • Instruction ID: 0cc7c4524c0ef11278b1270862cb54b5f42f765e51c4a16ce0223c0f1f59f3e8
                                                                    • Opcode Fuzzy Hash: 4ad42296586c5e7d0d25847f931ce3d23e4187385dabb17e4afcdb82b541dc5b
                                                                    • Instruction Fuzzy Hash: 2741E57280410DBEDF11FFA5DC50CEEBB69EB08314F2089ABF845E2101E738CA149B65
                                                                    Function 03E34B26 Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E34B3D
                                                                      • Part of subcall function 03E23841: _wctomb_s.LIBCMT ref: 03E23851
                                                                    • GetFileTime.KERNEL32(?,?,?,?), ref: 03E34B74
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 03E34B89
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: File$SizeTime_memset_wctomb_s
                                                                    • String ID:
                                                                    • API String ID: 26245289-0
                                                                    • Opcode ID: 17bfea0493e91720e08521519cf506fd3fb2b4aaf6e391e85b06dffa98fa578a
                                                                    • Instruction ID: e8e01c00fc00a79ae70ee282594a490dcb5e18ebfdbe2803bc44e29ba6c1b34d
                                                                    • Opcode Fuzzy Hash: 17bfea0493e91720e08521519cf506fd3fb2b4aaf6e391e85b06dffa98fa578a
                                                                    • Instruction Fuzzy Hash: 57413975904705AFCB24DF69D8849AABBF8BF0A3107048B2DE1A6D76D0E730E904CF60
                                                                    Function 00485950 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_strncmp
                                                                    • String ID:
                                                                    • API String ID: 1416122760-0
                                                                    • Opcode ID: 1a3e48ede601d1b58265ba45a7f85df6e5ec052ccd5002dc54699cd79f1a1716
                                                                    • Instruction ID: eae7628317934c5ab6da4baea3edc06792d4108948bea873648f0754e8702cdd
                                                                    • Opcode Fuzzy Hash: 1a3e48ede601d1b58265ba45a7f85df6e5ec052ccd5002dc54699cd79f1a1716
                                                                    • Instruction Fuzzy Hash: 64411971C053E89FDB22EBB09CC5BDE7FB85F16304F5808DAE984A7342C6A84645C755
                                                                    Function 004462C4 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __calloc_crt__init_pointers__mtterm
                                                                    • String ID:
                                                                    • API String ID: 2478854527-0
                                                                    • Opcode ID: c02058be43f7805059f54bb155cd1b06a9f05345f5b83a13b9c49945c225b97b
                                                                    • Instruction ID: c93b8ce910d87f6bbbacce9633907b0a7732982a20f4c2d85503f6dade7b8c19
                                                                    • Opcode Fuzzy Hash: c02058be43f7805059f54bb155cd1b06a9f05345f5b83a13b9c49945c225b97b
                                                                    • Instruction Fuzzy Hash: 0B31D3F08046619BEB20AFB5DD85A9A3AA5FB61354710021FFC10D36F5DBFC8540CB6A
                                                                    Function 03E2DA07 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 03E2DA3B
                                                                    • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 03E2DAA0
                                                                    • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 03E2DAE5
                                                                    • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 03E2DB0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 29a28b3b36ed2db836d0fcd912846d9b4ed0301ed704563a46c5e4b5434d9a08
                                                                    • Instruction ID: 215e3051e63b677c239021676864717a4d62f74fbac47f7a3208e5a8a486febc
                                                                    • Opcode Fuzzy Hash: 29a28b3b36ed2db836d0fcd912846d9b4ed0301ed704563a46c5e4b5434d9a08
                                                                    • Instruction Fuzzy Hash: B1318070640229BFDF25DF55CC90EAB7FB9EF41294F1892AAF6059B250DA70E940CB90
                                                                    Function 03E471B0 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 03E471E0
                                                                    • __isleadbyte_l.LIBCMT ref: 03E47214
                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,03E3FB55,?,?,00000001), ref: 03E47245
                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,03E3FB55,?,?,00000001), ref: 03E472B3
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: eb5762422de154e908c3c7c35dff7aab160994a6dae6746e19ce528173289968
                                                                    • Instruction ID: 30045a69b84fbe1ade25908a5d3c9bc3a6f0fc0acfc43181a9056b224cdae262
                                                                    • Opcode Fuzzy Hash: eb5762422de154e908c3c7c35dff7aab160994a6dae6746e19ce528173289968
                                                                    • Instruction Fuzzy Hash: 2731A471600255EFDF20DF64DC44DAA7BB5BF09215F0897A9F8B18B290E330E940CB90
                                                                    Function 00447D7E Relevance: 6.1, APIs: 4, Instructions: 100COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock.LIBCMT ref: 00447D93
                                                                      • Part of subcall function 00443D8E: __mtinitlocknum.LIBCMT ref: 00443DA2
                                                                      • Part of subcall function 00443D8E: __amsg_exit.LIBCMT ref: 00443DAE
                                                                    • __mtinitlocknum.LIBCMT ref: 00447DD3
                                                                    • __malloc_crt.LIBCMT ref: 00447E17
                                                                    • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00447E3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                                                    • String ID:
                                                                    • API String ID: 2497316225-0
                                                                    • Opcode ID: 5eb5f410593e0673990d47bf543c1a71dc5a3537c33dc4df544868d30c849053
                                                                    • Instruction ID: ce5b09f0bb2dc2aa9be2509bebe54ba39fbe760dc3c5e7a67df354ea61d14bd8
                                                                    • Opcode Fuzzy Hash: 5eb5f410593e0673990d47bf543c1a71dc5a3537c33dc4df544868d30c849053
                                                                    • Instruction Fuzzy Hash: 6D31E1765047119FF721DFA9C881A2AB7E4FF09324760429EE440977A1CBB8A842CF48
                                                                    Function 00458A42 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String_base::_Xlenchar_traitsstd::_
                                                                    • String ID:
                                                                    • API String ID: 511128623-0
                                                                    • Opcode ID: ee95c3963e00159a21a40167da171f76ecbd15f9138887d853d844b7829fce98
                                                                    • Instruction ID: 9a4780ca344c4cd4e0cc5355a031c39411397e14640ff4521c999b59fd75612f
                                                                    • Opcode Fuzzy Hash: ee95c3963e00159a21a40167da171f76ecbd15f9138887d853d844b7829fce98
                                                                    • Instruction Fuzzy Hash: EE31B171600208ABCF24DF59C9809AF77BAEF81705B14490FFC129B247CE38E958CB59
                                                                    Function 03E50332 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String_base::_Xlenchar_traitsstd::_
                                                                    • String ID:
                                                                    • API String ID: 511128623-0
                                                                    • Opcode ID: 8a2f856a41edac958964d00247642a155627e2e514abe32547c91017cab25610
                                                                    • Instruction ID: c381d3089a5e629c7af41e34049bf200c25d3ae942f4dcd3ce0517f5a95b6b0d
                                                                    • Opcode Fuzzy Hash: 8a2f856a41edac958964d00247642a155627e2e514abe32547c91017cab25610
                                                                    • Instruction Fuzzy Hash: 19317C31600708ABCB24DF6DD984AAE7BB6FF84714B186A18FC528B281C730F954CB95
                                                                    Function 0042FECE Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __msize_malloc
                                                                    • String ID:
                                                                    • API String ID: 1288803200-0
                                                                    • Opcode ID: 1a93b80acf86335dfd760c093a498d7f72b904f7b8bada2c1b8e7747dbc68883
                                                                    • Instruction ID: 46b36ef238d974fd73622b4586d91f0259d735121b1d32a93e2977cacc811190
                                                                    • Opcode Fuzzy Hash: 1a93b80acf86335dfd760c093a498d7f72b904f7b8bada2c1b8e7747dbc68883
                                                                    • Instruction Fuzzy Hash: 592187717002209BCB25AF21E981A5BB7B4AF46364BD1853FF8148B292DB38DC45C788
                                                                    Function 03E277BE Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __msize_malloc
                                                                    • String ID:
                                                                    • API String ID: 1288803200-0
                                                                    • Opcode ID: 7bccbaffd46e852e18f38035965ec5902acb90d52b99b897227a8bb9bec0e202
                                                                    • Instruction ID: f9b668d59b36684b56b4f67a9d3956c85ebcf2dee25b09859c6a20dbf908b3e3
                                                                    • Opcode Fuzzy Hash: 7bccbaffd46e852e18f38035965ec5902acb90d52b99b897227a8bb9bec0e202
                                                                    • Instruction Fuzzy Hash: 572182355007359FCB29EF24C885AAEBBB4EF01654B18A729DC59CE286DB70D840CBD1
                                                                    Function 0042A991 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _fputc_vfprintf
                                                                    • String ID:
                                                                    • API String ID: 1200358280-0
                                                                    • Opcode ID: abc914e3de7b76e2dacda7ffb166514d01a0dac2280d0f601ed1d74fc9402b8d
                                                                    • Instruction ID: 4dcee4d7df3ef35d944404914ee9d4bf8f9c3b17d2d5e6c778068f8b15eda90a
                                                                    • Opcode Fuzzy Hash: abc914e3de7b76e2dacda7ffb166514d01a0dac2280d0f601ed1d74fc9402b8d
                                                                    • Instruction Fuzzy Hash: C6316DB5E00208EFEF00DF95D986BAEB7B4AF44314F00C45AE8095B351D638EA94CF5A
                                                                    Function 03E22281 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _fputc_vfprintf
                                                                    • String ID:
                                                                    • API String ID: 1200358280-0
                                                                    • Opcode ID: 5c311e384d0421d282bba48dd8b2177b543811c32c2e290ca921ee33a0d4541d
                                                                    • Instruction ID: 8b04f7ece1e48a4a71d16d178cb5793fdf3582864d043f94e23206e85d0f7a54
                                                                    • Opcode Fuzzy Hash: 5c311e384d0421d282bba48dd8b2177b543811c32c2e290ca921ee33a0d4541d
                                                                    • Instruction Fuzzy Hash: 3A3149B9D00309ABDF00DFA4D849BADBBB8AF49304F04D659E9095B341E775EA84CF61
                                                                    Function 03E2EB5E Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantClear.OLEAUT32 ref: 03E2EB89
                                                                    • SafeArrayCreate.OLEAUT32(?,?,00000000), ref: 03E2EB95
                                                                    • SafeArrayGetElemsize.OLEAUT32(00000000), ref: 03E2EBB3
                                                                      • Part of subcall function 03E2379D: __CxxThrowException@8.LIBCMT ref: 03E237B1
                                                                    • SafeArrayGetElemsize.OLEAUT32(?), ref: 03E2EC08
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$Elemsize$ClearCreateException@8ThrowVariant
                                                                    • String ID:
                                                                    • API String ID: 430961931-0
                                                                    • Opcode ID: f3e221111630c65ff0cdc58bb88e5611ff2200ce6abb06beb8b47ded4af4e981
                                                                    • Instruction ID: 3fd21e46b15e7935919ffde769030d83684f521bea62c93af122c72f4ea5c296
                                                                    • Opcode Fuzzy Hash: f3e221111630c65ff0cdc58bb88e5611ff2200ce6abb06beb8b47ded4af4e981
                                                                    • Instruction Fuzzy Hash: 2321F475601739AFDB30EF65DC44A9FBFBDEF80A54F18672AF80682110C7709940CA61
                                                                    Function 004C63F0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _sprintf$_strncpy
                                                                    • String ID:
                                                                    • API String ID: 1849356164-0
                                                                    • Opcode ID: 305a5635335e6f62278ed00a6f24c2b640a94f46b77b1ae82dd0118f0f2440d0
                                                                    • Instruction ID: 52e36b84089c6bfa278bb7ceb99515696e6c8811534b7521f8d73dc578b9fdb7
                                                                    • Opcode Fuzzy Hash: 305a5635335e6f62278ed00a6f24c2b640a94f46b77b1ae82dd0118f0f2440d0
                                                                    • Instruction Fuzzy Hash: 9031F6B66002119FD314DF14DC81EE273E4EB99304B14866EF445C7B26EBBEB445CB65
                                                                    Function 03ECA95F Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextA.USER32(?), ref: 03ECA9B6
                                                                      • Part of subcall function 03ED2FC6: __ismbcspace_l.LIBCMT ref: 03ED2FCC
                                                                    • CharNextA.USER32(00000000), ref: 03ECA9D3
                                                                    • _strtol.LIBCMT ref: 03ECA9FE
                                                                    • _strtoul.LIBCMT ref: 03ECAA05
                                                                      • Part of subcall function 03E3E070: strtoxl.LIBCMT ref: 03E3E090
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
                                                                    • String ID:
                                                                    • API String ID: 4211061542-0
                                                                    • Opcode ID: de89888ad6d2856112011c4028780ac3b7667437dac56c8e247811f196dabdac
                                                                    • Instruction ID: e9e1aa591f54f3563ac15a8eb40ce5a70a60856dfabb4761d119871d3c4f23d5
                                                                    • Opcode Fuzzy Hash: de89888ad6d2856112011c4028780ac3b7667437dac56c8e247811f196dabdac
                                                                    • Instruction Fuzzy Hash: 47215772510288ABCB21DB749E41BEEF3F8AF49304F09167AE690DA240DB30D942CB60
                                                                    Function 03E7D9D9 Relevance: 6.1, APIs: 4, Instructions: 68registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F494C4,00000000,00020019,03E741F7), ref: 03E7D9FF
                                                                    • RegQueryValueExA.ADVAPI32(03E741F7,03F494B4,00000000,00000000,?,00000000), ref: 03E7DA2E
                                                                    • RegCloseKey.ADVAPI32(03E741F7), ref: 03E7DA3B
                                                                    • RegCloseKey.ADVAPI32(03E741F7), ref: 03E7DA45
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Close$OpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 1607946009-0
                                                                    • Opcode ID: 229939a1b7312eb0a2e7b73d86d2c459920d2f4b0900c534f0228b3e6dbe7f73
                                                                    • Instruction ID: f04cfef0549043a8120482039a84449700297df7cff6f79f97be83db6cc34916
                                                                    • Opcode Fuzzy Hash: 229939a1b7312eb0a2e7b73d86d2c459920d2f4b0900c534f0228b3e6dbe7f73
                                                                    • Instruction Fuzzy Hash: DF11B472A04219AFEB11DB68DC09BEFBBB8AF01749F2883A5ED11E6041E6B09604C750
                                                                    Function 03E313FC Relevance: 6.1, APIs: 4, Instructions: 65memorystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFix.KERNEL32(?), ref: 03E31419
                                                                    • lstrcmp.KERNEL32(?,?), ref: 03E31425
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 03E3145F
                                                                    • GlobalFix.KERNEL32(00000000), ref: 03E31469
                                                                      • Part of subcall function 03E2EFF4: GlobalFlags.KERNEL32(?), ref: 03E2EFFF
                                                                      • Part of subcall function 03E2EFF4: GlobalUnWire.KERNEL32(?), ref: 03E2F011
                                                                      • Part of subcall function 03E2EFF4: GlobalFree.KERNEL32(?), ref: 03E2F01C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFlagsFreeWirelstrcmp
                                                                    • String ID:
                                                                    • API String ID: 396917142-0
                                                                    • Opcode ID: be1a731d37b2502f21c9f1688f9efc43bdab1607b63b592cc6ad1a2889569216
                                                                    • Instruction ID: 904f6a8756e5db78d16b264a2a0600ffb8a5f230803fe86be7088f4ff260656e
                                                                    • Opcode Fuzzy Hash: be1a731d37b2502f21c9f1688f9efc43bdab1607b63b592cc6ad1a2889569216
                                                                    • Instruction Fuzzy Hash: 87119A75500614BADB22ABBAEC48D7FBABDFFC6604B085619F605DA020EB35D910D770
                                                                    Function 03E7DA91 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F494C4,00000000,00020019,?), ref: 03E7DAB7
                                                                    • RegQueryValueExA.ADVAPI32(?,03F494E0,00000000,00000000,?,00000000), ref: 03E7DAE6
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E7DAF3
                                                                    • RegCloseKey.ADVAPI32(?), ref: 03E7DAFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Close$OpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 1607946009-0
                                                                    • Opcode ID: 03ad21526d9e0c277b41e784b3e99de47f58fe0d8b07a811c9da8594566babb8
                                                                    • Instruction ID: 16c650c3321800209295796a53b1c07499f559552c22207bf768ddf92520c404
                                                                    • Opcode Fuzzy Hash: 03ad21526d9e0c277b41e784b3e99de47f58fe0d8b07a811c9da8594566babb8
                                                                    • Instruction Fuzzy Hash: 21118671A04209AFEB11DB64DC49FABBBB8AF05349F2882A5E515D2145D7B0D608CB50
                                                                    Function 03E79486 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 03E794BB
                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000090), ref: 03E794D5
                                                                    • GetVolumeInformationA.KERNEL32(00000000,?,00000080,00000000,03E741D5,00000000,?,00000080), ref: 03E79515
                                                                    • GetLastError.KERNEL32 ref: 03E7951F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryErrorFileInformationLastModuleNameVolumeWindows
                                                                    • String ID:
                                                                    • API String ID: 437373872-0
                                                                    • Opcode ID: 1927256a6ae9dcc7b304e4657ad8a0f84cef52a9f85276dc768f183b08138741
                                                                    • Instruction ID: a61098c5a5c9536e6d901e94374c8463a022f4e7dcd7fe1f093c11facad56f80
                                                                    • Opcode Fuzzy Hash: 1927256a6ae9dcc7b304e4657ad8a0f84cef52a9f85276dc768f183b08138741
                                                                    • Instruction Fuzzy Hash: 2D11BF76500158BEDF12DBA4DC84BEEBBBCAF09344F0842DAF595A6186E7309649CB21
                                                                    Function 03E253B0 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E253B7
                                                                      • Part of subcall function 03E236A8: _malloc.LIBCMT ref: 03E236C2
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E253ED
                                                                    • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,03E239BB,00000000,00000000,00000000,?,?,03F5E178,00000004,03E239BB,8007000E,03E239FE), ref: 03E25416
                                                                      • Part of subcall function 03E23841: _wctomb_s.LIBCMT ref: 03E23851
                                                                    • LocalFree.KERNEL32(03E239BB,03E239BB,8007000E,03E239FE), ref: 03E2543F
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
                                                                    • String ID:
                                                                    • API String ID: 1615547351-0
                                                                    • Opcode ID: e73f159b012c79dce619e480b9a48937b7c12153c78e2c0d14673c618f89634b
                                                                    • Instruction ID: e7946b1fffbd6ec222cf32e4808e31e9d5be8aa4afe3f52484d321ac7b21404d
                                                                    • Opcode Fuzzy Hash: e73f159b012c79dce619e480b9a48937b7c12153c78e2c0d14673c618f89634b
                                                                    • Instruction Fuzzy Hash: BC119E71604319AFDB00EFA4DC80EAEBBA9FB09250F109629FA15CA2D0D6719950CB20
                                                                    Function 03E65850 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::exception::exception.LIBCMT ref: 03E65882
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E65897
                                                                      • Part of subcall function 03E236A8: _malloc.LIBCMT ref: 03E236C2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 4063778783-0
                                                                    • Opcode ID: 2f95f9fcdc190245b5083cd8875b9bdf48524d0bc077c8dbd02bfe9bb4d71f87
                                                                    • Instruction ID: 43774cbe077de40c01282ae6b3e6901a62bf3893381a92f12a478275f3e03050
                                                                    • Opcode Fuzzy Hash: 2f95f9fcdc190245b5083cd8875b9bdf48524d0bc077c8dbd02bfe9bb4d71f87
                                                                    • Instruction Fuzzy Hash: 2F110875A5020C7EDB0CFBB8C855ADD37AD5F51655F50A37EE822D90C1DF70D2088A94
                                                                    Function 03E3532D Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(?,00000000,00000005), ref: 03E35353
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 03E3535B
                                                                    • LockResource.KERNEL32(00000000), ref: 03E3536D
                                                                    • FreeResource.KERNEL32(00000000), ref: 03E353B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLock
                                                                    • String ID:
                                                                    • API String ID: 1078018258-0
                                                                    • Opcode ID: 32dad4c3e9c8ebb08e65f47480f334d1a4b5067b8ecdb62166e34986486d363b
                                                                    • Instruction ID: 5924ad33104d5812e628adc402e355b6af55dcb2fbbeeb599b909d557a345775
                                                                    • Opcode Fuzzy Hash: 32dad4c3e9c8ebb08e65f47480f334d1a4b5067b8ecdb62166e34986486d363b
                                                                    • Instruction Fuzzy Hash: FF11C130901725EFC724EF55D88CBABF3B8FF02319F185659E84253688E3B0A950D751
                                                                    Function 03E31AA1 Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 03E31AA8
                                                                      • Part of subcall function 03E25C7F: __EH_prolog3.LIBCMT ref: 03E25C86
                                                                    • __strdup.LIBCMT ref: 03E31ACA
                                                                    • GetCurrentThread.KERNEL32 ref: 03E31AF7
                                                                    • GetCurrentThreadId.KERNEL32 ref: 03E31B00
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentH_prolog3Thread$__strdup
                                                                    • String ID:
                                                                    • API String ID: 4206445780-0
                                                                    • Opcode ID: ae814163be8537e4e86ac42715348ac24c1b0a6a7c8294a8388b7a71ea36e550
                                                                    • Instruction ID: a8d17e1f8683a4d37b9a998b3cadb353448a82717f38f8a90c5ba05f61ef2c29
                                                                    • Opcode Fuzzy Hash: ae814163be8537e4e86ac42715348ac24c1b0a6a7c8294a8388b7a71ea36e550
                                                                    • Instruction Fuzzy Hash: 5A21AFB4801B10CFC721EF3A854525AFBF8BFA4600F149A1FD1AA8BA21D7B0A041CF44
                                                                    Function 03E32A7E Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 03E32AB7
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 03E32AC0
                                                                    • _swprintf.LIBCMT ref: 03E32ADD
                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 03E32AEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ClosePrivateProfileStringValueWrite_swprintf
                                                                    • String ID:
                                                                    • API String ID: 4210924919-0
                                                                    • Opcode ID: 5443c835a37306698987d7d68115ea9a3742547e9bbd49b558980acecc00050d
                                                                    • Instruction ID: 09af96c000d244df96c9926ec8d6b41d5226d575233d8806129cb36d4a85bb6d
                                                                    • Opcode Fuzzy Hash: 5443c835a37306698987d7d68115ea9a3742547e9bbd49b558980acecc00050d
                                                                    • Instruction Fuzzy Hash: 6701A172500219BBDB10EB64DC49FAFB7ACAF4A604F140A29BA01E7144DAB4E915C7A4
                                                                    Function 03E7EC1B Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsValidSid.ADVAPI32(?,75A8E690,00000000,03E7EE94,00000000,00000000,03E7A6E3,?,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EC22
                                                                    • GetSidIdentifierAuthority.ADVAPI32(?,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EC2D
                                                                    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EC34
                                                                    • GetSidSubAuthority.ADVAPI32(?,?,?,00000000,?,?,?,03E7A6E3,00000000,03E741D5,03E74201), ref: 03E7EC59
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Authority$CountIdentifierValid
                                                                    • String ID:
                                                                    • API String ID: 776529623-0
                                                                    • Opcode ID: e7b95f86fb5352f089dde48002fb1fce15a5d4a75165ddba8be69855f4f78ef6
                                                                    • Instruction ID: e26d5f899350bd55a8fa10f04b222607d27f31d60237c886ec5537035262cf69
                                                                    • Opcode Fuzzy Hash: e7b95f86fb5352f089dde48002fb1fce15a5d4a75165ddba8be69855f4f78ef6
                                                                    • Instruction Fuzzy Hash: D1018F35240392DBCB20DA76AE84927BBFCABC469571D6AAAE157C6115E730D040CBA0
                                                                    Function 03EC3E3F Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IntersectRect.USER32(?,00000000,?), ref: 03EC3E7E
                                                                    • EqualRect.USER32(?,00000000), ref: 03EC3E8B
                                                                    • IsRectEmpty.USER32(?), ref: 03EC3E95
                                                                    • InvalidateRect.USER32(?,?,?), ref: 03EC3EB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$EmptyEqualIntersectInvalidate
                                                                    • String ID:
                                                                    • API String ID: 3354205298-0
                                                                    • Opcode ID: 700ff094f0033bc137e5aee85cfce2047b04a22313cc2d679c56180958451540
                                                                    • Instruction ID: cb321e964c412733b4392ca81dae84d3689e2bf490ed5c6e06ceabb833786b4b
                                                                    • Opcode Fuzzy Hash: 700ff094f0033bc137e5aee85cfce2047b04a22313cc2d679c56180958451540
                                                                    • Instruction Fuzzy Hash: 4311187690021AEFCF01DF95D988EDFBBBDBF09209F0081A5FA049A054D335A5568FA0
                                                                    Function 03E272E1 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnableMenuItem.USER32(?,00000000,?), ref: 03E27319
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    • GetFocus.USER32 ref: 03E27330
                                                                    • GetParent.USER32(?), ref: 03E2733E
                                                                    • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 03E27351
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
                                                                    • String ID:
                                                                    • API String ID: 3849708097-0
                                                                    • Opcode ID: 6e04011657b9d848af29e81b0bce8ae977f9e593af11fe03bb26502782299d02
                                                                    • Instruction ID: a7d6aad6fc36fa9ba722fda527a113cd3297c0e678f8df444137b83df2628b00
                                                                    • Opcode Fuzzy Hash: 6e04011657b9d848af29e81b0bce8ae977f9e593af11fe03bb26502782299d02
                                                                    • Instruction Fuzzy Hash: 9A118B71500620EFCB30EF20DC84C6BFBBAFF88316B189B29E59646955C730B854CA60
                                                                    Function 03EC16A3 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WindowFromPoint.USER32(?,?), ref: 03EC16BA
                                                                    • GetParent.USER32(00000000), ref: 03EC16C8
                                                                    • ScreenToClient.USER32(00000000,?), ref: 03EC16E9
                                                                    • IsWindowEnabled.USER32(00000000), ref: 03EC1702
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientEnabledFromParentPointScreen
                                                                    • String ID:
                                                                    • API String ID: 1871804413-0
                                                                    • Opcode ID: f5b7391b667af52e415a2393d0160508d5f33e75212aa6f3db8639e9826020fa
                                                                    • Instruction ID: c14774a2022dc881c29b71d4fac5d7783f59e5d54063afd489fcb1088342428a
                                                                    • Opcode Fuzzy Hash: f5b7391b667af52e415a2393d0160508d5f33e75212aa6f3db8639e9826020fa
                                                                    • Instruction Fuzzy Hash: BB01F23A611624BBC712EBA8DD08DAFFB7DEF8A600B18031DF904D7201EB30D9028760
                                                                    Function 03E16050 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceExA.KERNEL32(?,00000005,?,00000000), ref: 03E16062
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 03E1607E
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoad
                                                                    • String ID:
                                                                    • API String ID: 2619053042-0
                                                                    • Opcode ID: 072610bf68168f947d2faaaa367babbdbca0daf55f5a904a6539bf97b427b04c
                                                                    • Instruction ID: df484018b261c4030b4a1db07898af8c5f033163e49947d5b0b7d638dac1e2b5
                                                                    • Opcode Fuzzy Hash: 072610bf68168f947d2faaaa367babbdbca0daf55f5a904a6539bf97b427b04c
                                                                    • Instruction Fuzzy Hash: 8D11FA75900218EFCB10DFA5D944BAE7BB8FF48328F108B48F92597284D77199608B50
                                                                    Function 03E2AD9C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTopWindow.USER32(?), ref: 03E2ADAA
                                                                    • GetTopWindow.USER32(00000000), ref: 03E2ADE9
                                                                    • GetWindow.USER32(00000000,00000002), ref: 03E2AE07
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window
                                                                    • String ID:
                                                                    • API String ID: 2353593579-0
                                                                    • Opcode ID: 0c3c5fa8a834f428d1b8265a2ac0b910a9282b80268cbb87a152b823ed3889a4
                                                                    • Instruction ID: 0f9a407e68f98d26299617a8467b8647570e6d33ec692b7ef00cfd2f947dd525
                                                                    • Opcode Fuzzy Hash: 0c3c5fa8a834f428d1b8265a2ac0b910a9282b80268cbb87a152b823ed3889a4
                                                                    • Instruction Fuzzy Hash: 8B01E93600162AFBCF12AF919D04EDF7F3AAF44355F095220FA1565020CB36D971EBA1
                                                                    Function 0044B6AD Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                    • Instruction ID: e80d355cd8ee98775ff6d0df587e339f06f50e1d998cd947de48b51691f2464a
                                                                    • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                    • Instruction Fuzzy Hash: 35014E7204014EBBDF165E85CC428EE3F26FB18354F598816FA1859231D73AC9B1AB96
                                                                    Function 03E2A605 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,?), ref: 03E2A610
                                                                    • GetTopWindow.USER32(00000000), ref: 03E2A623
                                                                      • Part of subcall function 03E2A605: GetWindow.USER32(00000000,00000002), ref: 03E2A66A
                                                                    • GetTopWindow.USER32(?), ref: 03E2A653
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item
                                                                    • String ID:
                                                                    • API String ID: 369458955-0
                                                                    • Opcode ID: 3bbaa8533a9c75e1795b03de9acdb72b7eff56f1347988b7861f2baaa7d688f4
                                                                    • Instruction ID: 917cafb627626ae54f48b626496c456f577ecab2551430f2dadd150b0a8fdf29
                                                                    • Opcode Fuzzy Hash: 3bbaa8533a9c75e1795b03de9acdb72b7eff56f1347988b7861f2baaa7d688f4
                                                                    • Instruction Fuzzy Hash: FF014B3A40163DBBCB32AE659C00EAF3F69AF406A8B099331FD11A5114DF31D5618AE9
                                                                    Function 03E269A1 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SysStringLen.OLEAUT32(?), ref: 03E269B5
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 03E269CD
                                                                    • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 03E269D5
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 03E269F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Byte$CharMultiStringWide$Alloc
                                                                    • String ID:
                                                                    • API String ID: 3384502665-0
                                                                    • Opcode ID: c6649324f38ea62b71577628eba3b33ce479517fa68f383145257d0347c750b0
                                                                    • Instruction ID: ed865be5ff649e0aa36c8d6895eea7af2cc5bc70a92a43b0cae9bd5e3d87ad73
                                                                    • Opcode Fuzzy Hash: c6649324f38ea62b71577628eba3b33ce479517fa68f383145257d0347c750b0
                                                                    • Instruction Fuzzy Hash: DCF036761072387FD72166676C4CCABFF9CFF8A2B5B01472AF54992100D665D410CAF1
                                                                    Function 03E42F9D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                    • Instruction ID: 9e2ee38ca5ba3ccae97a4e2a8cd57551c7e1e37568cc17e7fbf1ce7ccd7bcdb9
                                                                    • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                                    • Instruction Fuzzy Hash: 3901363A40024EBBCF129E84EC01DEE7F37BB0C254B499A15FA58A8131D636C5B1AB81
                                                                    Function 03E41903 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 03E3DA12: __amsg_exit.LIBCMT ref: 03E3DA20
                                                                    • __amsg_exit.LIBCMT ref: 03E4192F
                                                                    • __lock.LIBCMT ref: 03E4193F
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 03E4195C
                                                                    • InterlockedIncrement.KERNEL32(03F6AF20), ref: 03E41987
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                                                    • String ID:
                                                                    • API String ID: 4129207761-0
                                                                    • Opcode ID: ed9ec9ee727520ce06b79a73e71dbb0b5263bba8d4a6c8bb553be7584ca191ab
                                                                    • Instruction ID: 4b24ffc25801babd1341ceb36d612f1711af5f6d9620b65296d2d90603c9dc7e
                                                                    • Opcode Fuzzy Hash: ed9ec9ee727520ce06b79a73e71dbb0b5263bba8d4a6c8bb553be7584ca191ab
                                                                    • Instruction Fuzzy Hash: 5101A176901725EBDF60EB65A41875DB2B47F0D714F082205E522BB384CB74D881CBD2
                                                                    Function 03E3D99B Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000,?,?,?,03E11FC4,03E3D840,?,03E3C4C5,03E35E49), ref: 03E3D99D
                                                                      • Part of subcall function 03E3D86D: TlsGetValue.KERNEL32(00000000,03E3D9B0,?,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000,?,?,?,03E11FC4,03E3D840), ref: 03E3D874
                                                                      • Part of subcall function 03E3D86D: TlsSetValue.KERNEL32(00000000,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000,?,?,?,03E11FC4,03E3D840,?,03E3C4C5,03E35E49), ref: 03E3D895
                                                                    • __calloc_crt.LIBCMT ref: 03E3D9BF
                                                                      • Part of subcall function 03E40E71: __calloc_impl.LIBCMT ref: 03E40E7F
                                                                      • Part of subcall function 03E40E71: Sleep.KERNEL32(00000000,?,03E11FC4,000A0000), ref: 03E40E96
                                                                      • Part of subcall function 03E3D7F6: TlsGetValue.KERNEL32(?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D803
                                                                      • Part of subcall function 03E3D7F6: TlsGetValue.KERNEL32(03F6A9F4,?,03E3C4C5,03E35E49,03E11FC4,?,03E11FC4,000A0000), ref: 03E3D81A
                                                                      • Part of subcall function 03E3D8DC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,03F5FF08,0000000C,03E3D9ED,00000000,00000000,?,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000), ref: 03E3D8ED
                                                                      • Part of subcall function 03E3D8DC: GetProcAddress.KERNEL32(?,EncodePointer), ref: 03E3D921
                                                                      • Part of subcall function 03E3D8DC: GetProcAddress.KERNEL32(?,DecodePointer), ref: 03E3D931
                                                                      • Part of subcall function 03E3D8DC: InterlockedIncrement.KERNEL32(03F6AAF8), ref: 03E3D953
                                                                      • Part of subcall function 03E3D8DC: __lock.LIBCMT ref: 03E3D95B
                                                                      • Part of subcall function 03E3D8DC: ___addlocaleref.LIBCMT ref: 03E3D97A
                                                                    • GetCurrentThreadId.KERNEL32 ref: 03E3D9EF
                                                                    • SetLastError.KERNEL32(00000000,?,00000000,03E3A1C7,03E37306,00000001,03E3D72E,000A0000,00000000,?,?,?,03E11FC4,03E3D840,?,03E3C4C5), ref: 03E3DA07
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                                                    • String ID:
                                                                    • API String ID: 1081334783-0
                                                                    • Opcode ID: 57ebb076af9d98385114bf1da9ece487a9a95e140cb074b17537f3a66e236766
                                                                    • Instruction ID: 15e43ff8cb00544444f872d82e17175287e7eb635d053f1a5a9ec7add534a683
                                                                    • Opcode Fuzzy Hash: 57ebb076af9d98385114bf1da9ece487a9a95e140cb074b17537f3a66e236766
                                                                    • Instruction Fuzzy Hash: 30F0C2329067225BC636BB797D0CA9B7BA8DF826B0B251355E525EA1D0CF25C441C790
                                                                    Function 03E7EEF0 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,03F495B4,00000000,00020019,03E741FB,00000000), ref: 03E7EF12
                                                                    • RegQueryValueExA.ADVAPI32(03E741FB,03F495AC,00000000,00000000,00000200,00000200), ref: 03E7EF35
                                                                    • RegCloseKey.ADVAPI32(03E741FB), ref: 03E7EF42
                                                                    • RegCloseKey.ADVAPI32(03E741FB), ref: 03E7EF4C
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Close$OpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 1607946009-0
                                                                    • Opcode ID: dea13be7a9ec2450a2c657df701e1b384c71a9bfeffb6faf8ba02474a12a2d95
                                                                    • Instruction ID: cd760c3d0f07c34ac193d47b3189851bf9ece3f2ef49f58ae265cc5479138b40
                                                                    • Opcode Fuzzy Hash: dea13be7a9ec2450a2c657df701e1b384c71a9bfeffb6faf8ba02474a12a2d95
                                                                    • Instruction Fuzzy Hash: 05016276740308BFEB10EBA1DC4AFAEBBB8AB45745F2402A1ED01F6181D7B0A615C751
                                                                    Function 03E2D3F0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(?,03E68765,000000F0), ref: 03E2D412
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,?,?,03E352E6,?,?,03E68765,?,?,?,03E5E57F), ref: 03E2D41E
                                                                    • LockResource.KERNEL32(00000000,?,?,?,?,03E352E6,?,?,03E68765,?,?,?,03E5E57F), ref: 03E2D42B
                                                                    • FreeResource.KERNEL32(00000000,?,?,?,?,03E352E6,?,?,03E68765,?,?,?,03E5E57F), ref: 03E2D446
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLock
                                                                    • String ID:
                                                                    • API String ID: 1078018258-0
                                                                    • Opcode ID: 6c4771258f62f7c2f2d13812eaf2bb91e2da440c0ef6aff120ddc41d1c444063
                                                                    • Instruction ID: fe6b971db90ad1d9630f3aa17493745cb54502c66cf25b388034cce9590a270c
                                                                    • Opcode Fuzzy Hash: 6c4771258f62f7c2f2d13812eaf2bb91e2da440c0ef6aff120ddc41d1c444063
                                                                    • Instruction Fuzzy Hash: DAF0F0362022312F9311AAA66C48A3BFBBDEFC15697095238FA24D2245CF2098018271
                                                                    Function 03E357F6 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(?,?,00000005), ref: 03E35810
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 03E35818
                                                                    • LockResource.KERNEL32(00000000), ref: 03E35825
                                                                    • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 03E3583D
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLock
                                                                    • String ID:
                                                                    • API String ID: 1078018258-0
                                                                    • Opcode ID: 1c77d2684126e5c4586316d54a7192f77bbedffe310c16ff46632776b318834e
                                                                    • Instruction ID: 7024e84fa9fefd10d9b59ea0406a2d20e555c4fd8722e5d3e6f5cfe104df29ec
                                                                    • Opcode Fuzzy Hash: 1c77d2684126e5c4586316d54a7192f77bbedffe310c16ff46632776b318834e
                                                                    • Instruction Fuzzy Hash: 65F0BE36202224BBC701BBAAAC4CD9FFBBCEF4A2617044125F60693240EA708D018BA0
                                                                    Function 03E719D1 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFix.KERNEL32(?), ref: 03E719DC
                                                                    • GetLastError.KERNEL32(?,?,?,03E1592B,?), ref: 03E719E8
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E71A0D
                                                                    • GlobalFree.KERNEL32(?), ref: 03E71A14
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$ErrorFreeLastWire
                                                                    • String ID:
                                                                    • API String ID: 3649342095-0
                                                                    • Opcode ID: 961d26cfb6bfb07b4787af38aae77c1d0752fa11bf0a81795cb82342ea9a0108
                                                                    • Instruction ID: 664dc3e5ef6525ff53a1d26139d5875d70a8f25ea35d0f1b99b5a4b2a04a9594
                                                                    • Opcode Fuzzy Hash: 961d26cfb6bfb07b4787af38aae77c1d0752fa11bf0a81795cb82342ea9a0108
                                                                    • Instruction Fuzzy Hash: 46F020322023216BE220FB617C88BFF776CEF857A9F08532AF642C9140C720C8228261
                                                                    Function 03E258A0 Relevance: 6.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEnterCriticalSection.NTDLL(03F77770), ref: 03E258DC
                                                                    • RtlInitializeCriticalSection.NTDLL(?), ref: 03E258EB
                                                                    • RtlLeaveCriticalSection.NTDLL(03F77770), ref: 03E258F8
                                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 03E25904
                                                                      • Part of subcall function 03E237D1: __CxxThrowException@8.LIBCMT ref: 03E237E5
                                                                      • Part of subcall function 03E237D1: __EH_prolog3.LIBCMT ref: 03E237F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                                                                    • String ID:
                                                                    • API String ID: 2895727460-0
                                                                    • Opcode ID: 0f2299ffb5ce90756bc5afdf4d3e6a0929e6cdd3de8a96f8d4d34c7e773a8c73
                                                                    • Instruction ID: dd8920a0b06f6651dfb62334629c449b80a77690662fef5628c0026729d76992
                                                                    • Opcode Fuzzy Hash: 0f2299ffb5ce90756bc5afdf4d3e6a0929e6cdd3de8a96f8d4d34c7e773a8c73
                                                                    • Instruction Fuzzy Hash: 0AF0F67360123CABD604FB58ED4476AFB6DEF86255F411236E54082041DB7180458A90
                                                                    Function 03E71979 Relevance: 6.0, APIs: 4, Instructions: 36fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFix.KERNEL32(?), ref: 03E71982
                                                                    • GetLastError.KERNEL32(?,?,03E1594B,?), ref: 03E7198A
                                                                    • SetEndOfFile.KERNEL32(00000104), ref: 03E719B2
                                                                    • GlobalUnWire.KERNEL32(?), ref: 03E719C4
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Global$ErrorFileLastWire
                                                                    • String ID:
                                                                    • API String ID: 2823217866-0
                                                                    • Opcode ID: 7352dbe9fcfe0397d0f1c149e0fc66a3efd36cea46d576163787d4a6ecce6e0c
                                                                    • Instruction ID: 7b2329d7c2b3c7000d02762109ccfaf5572331ddc4b88aee57e876d8f58914bc
                                                                    • Opcode Fuzzy Hash: 7352dbe9fcfe0397d0f1c149e0fc66a3efd36cea46d576163787d4a6ecce6e0c
                                                                    • Instruction Fuzzy Hash: 92F082B6201310BFD7116F75BC48E6B7BADEF983A5F115A25F587C6100D63188619A20
                                                                    Function 03E35767 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnableWindow.USER32(?,00000001), ref: 03E35787
                                                                    • GetActiveWindow.USER32 ref: 03E35792
                                                                    • SetActiveWindow.USER32(?,?,00000024), ref: 03E357A0
                                                                    • FreeResource.KERNEL32(?,?,00000024), ref: 03E357BC
                                                                      • Part of subcall function 03E2D68D: EnableWindow.USER32(?,?), ref: 03E2D69A
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ActiveEnable$FreeResource
                                                                    • String ID:
                                                                    • API String ID: 253586258-0
                                                                    • Opcode ID: 1cdeb719cef8628087c3fbc90e7444e9c7d26c2f83d595132db183c400e5df52
                                                                    • Instruction ID: 27370584b68e6809b8e1b227e6a80a25d4bc113fafa2ac7370cdc2730dc792b9
                                                                    • Opcode Fuzzy Hash: 1cdeb719cef8628087c3fbc90e7444e9c7d26c2f83d595132db183c400e5df52
                                                                    • Instruction Fuzzy Hash: 45F03C34A00618CFCF21EF65DC889AEF7B1BF4AB02B651258E002B6694C7726850CE61
                                                                    Function 03E242D3 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEnterCriticalSection.NTDLL(03F77598), ref: 03E242DC
                                                                    • TlsGetValue.KERNEL32(03F7757C,?,?,00000000,03E247AA,?,00000004,03E2521A,03E237EB,03E27284,?,03E25C95,00000004,03E31AB7,00000004,03E5604C), ref: 03E242F1
                                                                    • RtlLeaveCriticalSection.NTDLL(03F77598), ref: 03E24307
                                                                    • RtlLeaveCriticalSection.NTDLL(03F77598), ref: 03E24312
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$EnterValue
                                                                    • String ID:
                                                                    • API String ID: 3969253408-0
                                                                    • Opcode ID: 8f7f02c3336af23ba34ebcbb699a90e85d2d5e6fc7151d7e34f6da23e9c345d0
                                                                    • Instruction ID: d42dda228aca3cb612e7d691efd40172c68cf00561a7326bc63e7d038d6022cd
                                                                    • Opcode Fuzzy Hash: 8f7f02c3336af23ba34ebcbb699a90e85d2d5e6fc7151d7e34f6da23e9c345d0
                                                                    • Instruction Fuzzy Hash: DAF082B6200620DFDB21EF26EC88C5B77FDEF8826234A5655E44693155D730F8148F60
                                                                    Function 004680D2 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_strncpy
                                                                    • String ID:
                                                                    • API String ID: 1560530771-0
                                                                    • Opcode ID: a5de15dd80ca69a3e5250a45cead166c89ba2c18077c85a7bb904ca2335e7303
                                                                    • Instruction ID: 6321084a3f201020de899459f012b8d0c0cfcc4a322d5f9a3b572cf800586cd4
                                                                    • Opcode Fuzzy Hash: a5de15dd80ca69a3e5250a45cead166c89ba2c18077c85a7bb904ca2335e7303
                                                                    • Instruction Fuzzy Hash: 59E092B11043005FEB107A76AC03BD77399EF24315F000C1EB5E5C1252DA64DC819654
                                                                    Function 03E5F9C2 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$_strncpy
                                                                    • String ID:
                                                                    • API String ID: 1560530771-0
                                                                    • Opcode ID: a5de15dd80ca69a3e5250a45cead166c89ba2c18077c85a7bb904ca2335e7303
                                                                    • Instruction ID: 158b6e251d9d619ac3f24c3db9883d30a356c009f4cd60985a1bda2a3a074941
                                                                    • Opcode Fuzzy Hash: a5de15dd80ca69a3e5250a45cead166c89ba2c18077c85a7bb904ca2335e7303
                                                                    • Instruction Fuzzy Hash: CCE0DFBA204300AFEA22FA74BF80AD7B3EDEF00300F051D28F9E5C6010D771A8428650
                                                                    Function 0043580D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: @$@
                                                                    • API String ID: 2102423945-149943524
                                                                    • Opcode ID: 3c81aebc14cf1af1d6592a2640a6fc31a5c851510adaff5cbffc633468782507
                                                                    • Instruction ID: 9b61fe404cdd50679965370b94f84854ce12932bc04ff86f78b4a8d35534f34d
                                                                    • Opcode Fuzzy Hash: 3c81aebc14cf1af1d6592a2640a6fc31a5c851510adaff5cbffc633468782507
                                                                    • Instruction Fuzzy Hash: AD8134B1D00659AEDB50DFA4C585BDEBFF8AF0C349F20916AF904E6181E7788A44CB94
                                                                    Function 03EC53EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID: (
                                                                    • API String ID: 1473721057-3887548279
                                                                    • Opcode ID: a54ec772123403e9c69b2a9367603750a1681a65c49a3c8fca6079f0cb46e20e
                                                                    • Instruction ID: 23c5f0dee81030e79b3b790b032b62d465af4b5cb606df75bc9d6d15a6b6aa5b
                                                                    • Opcode Fuzzy Hash: a54ec772123403e9c69b2a9367603750a1681a65c49a3c8fca6079f0cb46e20e
                                                                    • Instruction Fuzzy Hash: B9518975A10B44AFCB64CF2ACA8196AF7F5FF48314B545A2DE5838BA91C730F841CB40
                                                                    Function 00428681 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 004287FF
                                                                      • Part of subcall function 0043E4A6: __FF_MSGBANNER.LIBCMT ref: 0043E4C9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _malloc
                                                                    • String ID: =mB$=mB
                                                                    • API String ID: 1579825452-2313385917
                                                                    • Opcode ID: fc5af0aeb4525edf5c816baa77c690901009600ee3e84a066d1749c15468cc5a
                                                                    • Instruction ID: aa04f8478086659b283c1c463520ce469ab8b0bdb7b90cda30466e2ed1568dee
                                                                    • Opcode Fuzzy Hash: fc5af0aeb4525edf5c816baa77c690901009600ee3e84a066d1749c15468cc5a
                                                                    • Instruction Fuzzy Hash: 22510B74A00219EFCB04DF98D891EAEBBB5FF8C350F108159E909AB351D774EA81CB95
                                                                    Function 03E60718 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: IPStringTable
                                                                    • API String ID: 0-967448268
                                                                    • Opcode ID: 429df9b02e466edf3eedc8bf7707487493ca49806b8139560e0395f48df17fb1
                                                                    • Instruction ID: e0411cafd251925d3b8df13c3ac5d736f59f14e56c484bd746038e853eb507ea
                                                                    • Opcode Fuzzy Hash: 429df9b02e466edf3eedc8bf7707487493ca49806b8139560e0395f48df17fb1
                                                                    • Instruction Fuzzy Hash: F8418375A48215EFDB21DF54C8819AEBBF5FF04284F286A6DE58697241D730AD80CF90
                                                                    Function 03E1CE00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E1CEAD
                                                                      • Part of subcall function 03E366C6: RaiseException.KERNEL32(?,?,?,?), ref: 03E36706
                                                                    • __CxxThrowException@8.LIBCMT ref: 03E1CEF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Cannot unpack
                                                                    • API String ID: 3476068407-3728879263
                                                                    • Opcode ID: 89914965491777fc63aa1e91dc8343c2af991f6ed346f641c8c8c596bff0010f
                                                                    • Instruction ID: 39bd578ecf9000d47f1b94ac79ea14e6196fe9f02b908c7f9c0e086bb3eaa323
                                                                    • Opcode Fuzzy Hash: 89914965491777fc63aa1e91dc8343c2af991f6ed346f641c8c8c596bff0010f
                                                                    • Instruction Fuzzy Hash: 2B51C578A001099FC744EF94D990AAEB3F5FF8C310F248298E915AB355D732AE46CF91
                                                                    Function 00437BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3_memset
                                                                    • String ID: @
                                                                    • API String ID: 2828583354-2766056989
                                                                    • Opcode ID: 8943c9f2bdde3daa8058bb9b8d8454a61af27583fa982c3ca152a8ab468e5451
                                                                    • Instruction ID: 5758897160aa8100f8ccb5f1b634d1e37c1c8976d1091cbe7abe77af014fd4e2
                                                                    • Opcode Fuzzy Hash: 8943c9f2bdde3daa8058bb9b8d8454a61af27583fa982c3ca152a8ab468e5451
                                                                    • Instruction Fuzzy Hash: 08415F71A00219AFDB10DFA5CC81FEEB7B4BF08304F14811AF615BB292DB74A945CBA4
                                                                    Function 03E6753E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 03E67545
                                                                      • Part of subcall function 03E4C8A2: _strlen.LIBCMT ref: 03E4C8A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3__strlen
                                                                    • String ID: &ProdID=$&ProdOption=
                                                                    • API String ID: 807648885-2372976753
                                                                    • Opcode ID: dde9f842903b8e1f5ffd3ce40ced2b2b082747a58e48833cc8ae22162c401366
                                                                    • Instruction ID: d1dd4a55714cf5ffd581fffc07276ee3169ef8f33e14e47f555a6842abd1fff8
                                                                    • Opcode Fuzzy Hash: dde9f842903b8e1f5ffd3ce40ced2b2b082747a58e48833cc8ae22162c401366
                                                                    • Instruction Fuzzy Hash: 8F319379E00218ABCF15FBA4EC60EFEB6B9AF58644F107319F402BB290DF645E05C661
                                                                    Function 004283D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBCMT ref: 00428435
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw
                                                                    • String ID: NtB$NtB
                                                                    • API String ID: 2005118841-3171782985
                                                                    • Opcode ID: 900c30a41ba54bca8d515ddc4510f553cf3b4f2ad723cf394cf89f9892464fdb
                                                                    • Instruction ID: 78b5b5daeabbd73be5f44ea75fd58de9b8713468d42e87f5a8627385df7c41b3
                                                                    • Opcode Fuzzy Hash: 900c30a41ba54bca8d515ddc4510f553cf3b4f2ad723cf394cf89f9892464fdb
                                                                    • Instruction Fuzzy Hash: E741FC74E0121ADFCB04DF98D594BAEBBB1FF48308F60859AD915AB341D734AA81CF94
                                                                    Function 03E589CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 03E589D3
                                                                      • Part of subcall function 03E24DB9: __EH_prolog3.LIBCMT ref: 03E24DC0
                                                                      • Part of subcall function 03E60CFE: _malloc.LIBCMT ref: 03E60D11
                                                                    Strings
                                                                    • &#$(F()@#)$*&R&VHjDH*(#9@(@*&$V*><UJ&, xrefs: 03E58A42
                                                                    • IP_LANGUAGE_CODE, xrefs: 03E58A94
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog3H_prolog3__malloc
                                                                    • String ID: &#$(F()@#)$*&R&VHjDH*(#9@(@*&$V*><UJ&$IP_LANGUAGE_CODE
                                                                    • API String ID: 243267633-4252662932
                                                                    • Opcode ID: 47de60670a8252a11a15d83f1588521c2a554d5e0f03bb335438f55b6a745e04
                                                                    • Instruction ID: 8b182e407930f76420a8b5e5c8af7467cfffc76d582b2a213391e4b1f2fd4947
                                                                    • Opcode Fuzzy Hash: 47de60670a8252a11a15d83f1588521c2a554d5e0f03bb335438f55b6a745e04
                                                                    • Instruction Fuzzy Hash: A6313278900308AFDB14EFA5ED90DEEB7B9FF45304F146619F512AB192DB309A04CB20
                                                                    Function 0046901E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: @
                                                                    • API String ID: 4218353326-2766056989
                                                                    • Opcode ID: 94a0e059275f8fe8f6f36f417d9e6830e7f21229fac861824553a981d7a23326
                                                                    • Instruction ID: c31fd322d49764ffba97b499b2080f91c7943cffe010c4929b319eedb3e8d126
                                                                    • Opcode Fuzzy Hash: 94a0e059275f8fe8f6f36f417d9e6830e7f21229fac861824553a981d7a23326
                                                                    • Instruction Fuzzy Hash: 2B219EB190020DBFEF20AFA1CD81FAF7BACEF04355F104466FA01E6191E6759E409B65
                                                                    Function 00454EAA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_String_base::_Xlen.LIBCPMT ref: 00454EBF
                                                                      • Part of subcall function 00454DE5: __EH_prolog3.LIBCMT ref: 00454DEC
                                                                      • Part of subcall function 00454DE5: std::runtime_error::runtime_error.LIBCPMT ref: 00454E09
                                                                      • Part of subcall function 00454DE5: __CxxThrowException@8.LIBCMT ref: 00454E1E
                                                                      • Part of subcall function 00454DE5: std::_String_base::_Xlen.LIBCPMT ref: 00454E34
                                                                      • Part of subcall function 00454DE5: char_traits.LIBCPMT ref: 00454E73
                                                                    • char_traits.LIBCPMT ref: 00454F25
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: String_base::_Xlenchar_traitsstd::_$Exception@8H_prolog3Throwstd::runtime_error::runtime_error
                                                                    • String ID: E
                                                                    • API String ID: 3929597106-2089609516
                                                                    • Opcode ID: 77ff173f7f5d60b2034c0d78a8e8ddc183034a0d7a4dab1361b002ca8663a27f
                                                                    • Instruction ID: 761f73f8dab9f5860878d077986e2187b4616d456b0c5ab6c396a6734fd0c8b8
                                                                    • Opcode Fuzzy Hash: 77ff173f7f5d60b2034c0d78a8e8ddc183034a0d7a4dab1361b002ca8663a27f
                                                                    • Instruction Fuzzy Hash: 6F11C472600108BBCB14DF09C881959B7A5EBD039EB10851AFC198F683C338FDD98698
                                                                    Function 03E7430B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDriveTypeA.KERNEL32(?), ref: 03E74367
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: DriveType
                                                                    • String ID: \$\
                                                                    • API String ID: 338552980-164819647
                                                                    • Opcode ID: 4e40c070255637776c35bbbe0b13224b4642ec1155541351272ad3f441579679
                                                                    • Instruction ID: 2906c16b558aa9d8e901f7caef0024a5d1224e8aa1e2d218d01a70590e05a377
                                                                    • Opcode Fuzzy Hash: 4e40c070255637776c35bbbe0b13224b4642ec1155541351272ad3f441579679
                                                                    • Instruction Fuzzy Hash: E3012831908766AFDB11D63DAD1CAEA3BFC9B06148F589AE0D59EDB1C2D230F5448F90
                                                                    Function 00454E24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_String_base::_Xlen.LIBCPMT ref: 00454E34
                                                                      • Part of subcall function 00454DE5: __EH_prolog3.LIBCMT ref: 00454DEC
                                                                      • Part of subcall function 00454DE5: std::runtime_error::runtime_error.LIBCPMT ref: 00454E09
                                                                      • Part of subcall function 00454DE5: __CxxThrowException@8.LIBCMT ref: 00454E1E
                                                                    • char_traits.LIBCPMT ref: 00454E73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924253455.0000000000414000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000005.00000002.1924146962.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924161837.0000000000401000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924175976.0000000000402000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924190227.0000000000404000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924207176.000000000040C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924222789.000000000040F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924237915.0000000000412000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.00000000004F4000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    • Associated: 00000005.00000002.1924253455.000000000058A000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_400000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8H_prolog3String_base::_ThrowXlenchar_traitsstd::_std::runtime_error::runtime_error
                                                                    • String ID: E
                                                                    • API String ID: 2731322863-2089609516
                                                                    • Opcode ID: 85fabd183576e766c825d06e9cb8f646eb8d680bfa22b02f311f5dc4cdb91c8f
                                                                    • Instruction ID: 110cbc077fef9fa16ee9982a2b1f66eeca9b22a1da54859d4b481396b968d225
                                                                    • Opcode Fuzzy Hash: 85fabd183576e766c825d06e9cb8f646eb8d680bfa22b02f311f5dc4cdb91c8f
                                                                    • Instruction Fuzzy Hash: 0901D8312001045FCB18DE5CD9C1AAE73A9FBC0729B15C51AF9198F603C778BD898BA8
                                                                    Function 03E31A2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 03E31A53
                                                                    • PathFindExtensionA.SHLWAPI(?), ref: 03E31A69
                                                                      • Part of subcall function 03E31733: __EH_prolog3.LIBCMT ref: 03E31752
                                                                      • Part of subcall function 03E31733: GetModuleHandleA.KERNEL32(kernel32.dll,0000005C), ref: 03E3177C
                                                                      • Part of subcall function 03E31733: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 03E3178D
                                                                      • Part of subcall function 03E31733: ConvertDefaultLocale.KERNEL32(?), ref: 03E317C3
                                                                      • Part of subcall function 03E31733: ConvertDefaultLocale.KERNEL32(?), ref: 03E317CB
                                                                      • Part of subcall function 03E31733: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 03E317DF
                                                                      • Part of subcall function 03E31733: ConvertDefaultLocale.KERNEL32(?), ref: 03E31803
                                                                      • Part of subcall function 03E31733: ConvertDefaultLocale.KERNEL32(74DEF550), ref: 03E31809
                                                                      • Part of subcall function 03E31733: GetModuleFileNameA.KERNEL32(03E10DB0,00000000,00000105), ref: 03E3184A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath
                                                                    • String ID: %s%s.dll
                                                                    • API String ID: 2355367764-1649984862
                                                                    • Opcode ID: f84b98a45d736a74bcea575f598a3bda455dfbc35290d3c6fcea1a1364ef800d
                                                                    • Instruction ID: 30a8609646aaa9c4558c506889503dce2a6d3ee25efb077b13dee5fe44c002ff
                                                                    • Opcode Fuzzy Hash: f84b98a45d736a74bcea575f598a3bda455dfbc35290d3c6fcea1a1364ef800d
                                                                    • Instruction Fuzzy Hash: 3A01F97190422C9FCB04EB28DC46AEF73FCEF0A700F0405A9D501E7140E6309A44C7A1
                                                                    Function 03E2F074 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 03E2F093
                                                                    • GetClassNameA.USER32(?,?,0000000A), ref: 03E2F0A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: ClassLongNameWindow
                                                                    • String ID: combobox
                                                                    • API String ID: 1147815241-2240613097
                                                                    • Opcode ID: 04b91d69c74c66e74d5b920bfe0f04daaefa681030b0c28e25f8ef4372f79483
                                                                    • Instruction ID: 25d9c000f62575253481032b0654e8c1ab4d438d12396ff9630ec3dfee27884d
                                                                    • Opcode Fuzzy Hash: 04b91d69c74c66e74d5b920bfe0f04daaefa681030b0c28e25f8ef4372f79483
                                                                    • Instruction Fuzzy Hash: 38F0BB3155513DAFDB10FB74DD45EBF77BCEF056147404715E811EB180DA30A5058795
                                                                    Function 03E163A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fake.dll$fakeVB.dll
                                                                    • API String ID: 0-1733345601
                                                                    • Opcode ID: 560f8d6d734a02ad9a37ce74899c7cc8e3b9fef48747e6990765043fdaf32da4
                                                                    • Instruction ID: 82655487e4a74e168415a889d2ea38ee727fd71a4b8a2137b3f07d06d562f75c
                                                                    • Opcode Fuzzy Hash: 560f8d6d734a02ad9a37ce74899c7cc8e3b9fef48747e6990765043fdaf32da4
                                                                    • Instruction Fuzzy Hash: 02F0A075A10208BBCF00DB65EC40AAF77A89F94156F00A358BC08DB240F671EA20C7A0
                                                                    Function 03E204B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,03E2050F,?,03E1EC30), ref: 03E204C5
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 03E204CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: kernel32.dll
                                                                    • API String ID: 1646373207-1793498882
                                                                    • Opcode ID: 7866b7981e55aaab57b081b0cd8e44d507e2d3509902afced404182ed1a4551f
                                                                    • Instruction ID: 255b190ca2f74eec1808779163eae2c5a15a41bd935c6da9f787c5ebdb40757e
                                                                    • Opcode Fuzzy Hash: 7866b7981e55aaab57b081b0cd8e44d507e2d3509902afced404182ed1a4551f
                                                                    • Instruction Fuzzy Hash: 4AE0D870945164EFE740D7A4DC0DB7F3BACDB06206F5053A8ED06E7180E1709E104761
                                                                    Function 03E20571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,03E205CF,?,03E1EC40), ref: 03E20585
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 03E2058C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: kernel32.dll
                                                                    • API String ID: 1646373207-1793498882
                                                                    • Opcode ID: 368cb9ae7bba943610a0f00cf2984b2af6e2783a381be28ca065d26f05ed9353
                                                                    • Instruction ID: 8db4a71c1de57f6622f6dc2f54cf7ccd54af9f51c68d0cd54267e4446808dbc3
                                                                    • Opcode Fuzzy Hash: 368cb9ae7bba943610a0f00cf2984b2af6e2783a381be28ca065d26f05ed9353
                                                                    • Instruction Fuzzy Hash: C2E080F1A55229EFDF10E7F19C0976F7B7CDF05205F041764A506D2180E671DE104762
                                                                    Function 03E220D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 03E220E5
                                                                    • _swprintf.LIBCMT ref: 03E22102
                                                                      • Part of subcall function 03E38F19: __vsprintf_s_l.LIBCMT ref: 03E38F2C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: __vsprintf_s_l_memset_swprintf
                                                                    • String ID: exception caught: %d
                                                                    • API String ID: 2576962049-3655912745
                                                                    • Opcode ID: 996dc2d2afabc1c697c84fa910a28627995de43e54192e8c43d6e0d502b6e778
                                                                    • Instruction ID: b4c2563e562318c4bd98bb5b2da5f56f93bc7b56770c90b5cb8b0686c317014f
                                                                    • Opcode Fuzzy Hash: 996dc2d2afabc1c697c84fa910a28627995de43e54192e8c43d6e0d502b6e778
                                                                    • Instruction Fuzzy Hash: 1AE086B5A40308ABDB10D6648C42FDD76289B09610FD017C8B3147A1C0DA759B448768
                                                                    Function 03E73F71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(03F48810,GetSystemMetrics,03E73FE3), ref: 03E73F7B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 03E73F82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: GetSystemMetrics
                                                                    • API String ID: 1646373207-96882338
                                                                    • Opcode ID: 362260b4e36b704f24876684f7227c1d2633bf24027ef43aca89be307e17bcf3
                                                                    • Instruction ID: 9c06e8614ef4664fefc534f6b1e04acbd79b1e329a9c9892c1bfcd1b4a0c8771
                                                                    • Opcode Fuzzy Hash: 362260b4e36b704f24876684f7227c1d2633bf24027ef43aca89be307e17bcf3
                                                                    • Instruction Fuzzy Hash: C9C09B712D12775ACE1077F1BD0DD2D2A14AF45B477017B10F112CA4C9CDE040104711
                                                                    Function 03E15BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy20,r22,00000000), ref: 03E15C02
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy20$r22
                                                                    • API String ID: 2030045667-1846160732
                                                                    • Opcode ID: 78732d6b83f01f4de69273cffbb0c1274cab17032a8e53297e6645f215cd3f39
                                                                    • Instruction ID: c433bb4e936ac0dfb2e331a37fd8a45b86432b6bba9955ae2900b0f14dabff69
                                                                    • Opcode Fuzzy Hash: 78732d6b83f01f4de69273cffbb0c1274cab17032a8e53297e6645f215cd3f39
                                                                    • Instruction Fuzzy Hash: FEC092313C83087BE54065C6AC47F8B3A888B18FA7F101290BA1C692C284C264510459
                                                                    Function 03E15BD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy21,r21,00000000), ref: 03E15BE2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy21$r21
                                                                    • API String ID: 2030045667-3395507542
                                                                    • Opcode ID: 5f0d40636755a76a920bbc8c2c141a35440a23dbb8ecbcd2ac9da1915cda187c
                                                                    • Instruction ID: fdb98a57b8a1e7f6440e029dc61d7d2914fdaa3aac7bd4096bcb9de519a6c831
                                                                    • Opcode Fuzzy Hash: 5f0d40636755a76a920bbc8c2c141a35440a23dbb8ecbcd2ac9da1915cda187c
                                                                    • Instruction Fuzzy Hash: 6DC092303C4308BBE50061C6EC47F8B3A8C8F48FAFF1022A0BA1D692C254C164510459
                                                                    Function 03E15BB1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy20,r20,00000000), ref: 03E15BC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy20$r20
                                                                    • API String ID: 2030045667-2147765360
                                                                    • Opcode ID: e5c48b9af69085012438f87614a5d240542cbb61e9cf25a8479612b762875ce8
                                                                    • Instruction ID: 17a160a971a0a29d2b7126da6c3ed5f8f8293224a858baea3d96f4cc572c7819
                                                                    • Opcode Fuzzy Hash: e5c48b9af69085012438f87614a5d240542cbb61e9cf25a8479612b762875ce8
                                                                    • Instruction Fuzzy Hash: D8C092313C4308BBE64061C6AC47F8A3A8C8F08FAEF1022A0B61C6A2C284D264520459
                                                                    Function 03E15B91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy19,r19,00000000), ref: 03E15BA2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy19$r19
                                                                    • API String ID: 2030045667-1500624840
                                                                    • Opcode ID: fcca51b3f8b9173326b595bbe31342088d698c98238cec7f5a67191f472a5053
                                                                    • Instruction ID: 568c13bcda3c12c9e5e8d95ff3f27144b77a827c461f73f2316362c573759348
                                                                    • Opcode Fuzzy Hash: fcca51b3f8b9173326b595bbe31342088d698c98238cec7f5a67191f472a5053
                                                                    • Instruction Fuzzy Hash: 1DC092313C4308BBE54061C6BD47F4A3A8C8B18FAAF101290B62C696C284C564610459
                                                                    Function 03E15B71 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy18,r18,00000000), ref: 03E15B82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy18$r18
                                                                    • API String ID: 2030045667-320253678
                                                                    • Opcode ID: d4adfc7540f637be25adeb87f3c8c9fcc3e62c0f4043ae46bc695b93c8b9a783
                                                                    • Instruction ID: 04ae622922edd55196a9ac7ae543b74b1db13707570780655284966abfcf1edd
                                                                    • Opcode Fuzzy Hash: d4adfc7540f637be25adeb87f3c8c9fcc3e62c0f4043ae46bc695b93c8b9a783
                                                                    • Instruction Fuzzy Hash: 60C092303C4308BBE50061D6AC47F5A3A8C8B08FBBF101390B628A92C244C164610459
                                                                    Function 03E15B51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy17,r17,00000000), ref: 03E15B62
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy17$r17
                                                                    • API String ID: 2030045667-33105070
                                                                    • Opcode ID: d6d91ad6768c241fe7e4b58dd6ab23169967e3289245c054c23ca8463a645a64
                                                                    • Instruction ID: 1cf42e63d89288a12ebd31c599bf72391ffa4c00de99903ecd5210f369da9cc9
                                                                    • Opcode Fuzzy Hash: d6d91ad6768c241fe7e4b58dd6ab23169967e3289245c054c23ca8463a645a64
                                                                    • Instruction Fuzzy Hash: ACC092303C4308BBE540A1D6AD47F8A3A8C8B08FBBF101290B618AA2C254C164914459
                                                                    Function 03E15B31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy16,r16,00000000), ref: 03E15B42
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy16$r16
                                                                    • API String ID: 2030045667-1268661640
                                                                    • Opcode ID: c06f787dd27cc38544a78ceaa917c0de4a92d46fabefa93d0f1ad97a7d75535a
                                                                    • Instruction ID: 0257bfef4d5b54ffb3a7f246b9a0c4c55342c18ddf222a84e3a68e6c69153484
                                                                    • Opcode Fuzzy Hash: c06f787dd27cc38544a78ceaa917c0de4a92d46fabefa93d0f1ad97a7d75535a
                                                                    • Instruction Fuzzy Hash: AFC092303C8348BBE55061C6AD4BF4A3A8C8B08FAAF501290B618AA2C654C16495855A
                                                                    Function 03E15B11 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy13,r13,00000000), ref: 03E15B22
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy13$r13
                                                                    • API String ID: 2030045667-4078192247
                                                                    • Opcode ID: 678fbd4e8843bd29525322ab9f290bb73e973f47d13fdcf33d3f8d9df59bf161
                                                                    • Instruction ID: 94d43d9dd8de8276e6d32abac507c163351acf133a1ae9ef361dded500984998
                                                                    • Opcode Fuzzy Hash: 678fbd4e8843bd29525322ab9f290bb73e973f47d13fdcf33d3f8d9df59bf161
                                                                    • Instruction Fuzzy Hash: 32C092303C4308BBE50162C6AC4BF0E3E8C8B44F2AF101291F61C692C244C16455456A
                                                                    Function 03E15AF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy12,r12,00000000), ref: 03E15B02
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy12$r12
                                                                    • API String ID: 2030045667-3111346001
                                                                    • Opcode ID: ffd2a317a7ebaa7ac3fe2f2444622a9fe5f27dc0a7699e4d748d017a2bb93170
                                                                    • Instruction ID: 529aa6c8706e563db76da9b1022f762e4c44fe81e49d37358e426b5b104114e0
                                                                    • Opcode Fuzzy Hash: ffd2a317a7ebaa7ac3fe2f2444622a9fe5f27dc0a7699e4d748d017a2bb93170
                                                                    • Instruction Fuzzy Hash: 45C092303C5308BBE60162C6AD4BF0A3A8C8B54E2AF201290B628692C284D164614459
                                                                    Function 03E15AD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy11,r11,00000000), ref: 03E15AE2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy11$r11
                                                                    • API String ID: 2030045667-1742369851
                                                                    • Opcode ID: a57645cea9b68ae554f35c52e8df31b64e95a771f4f97f8441a14ceefafee8ad
                                                                    • Instruction ID: fdd9e1b8f597652f8cce87de134030d743530b2aed8bd3502de407bc6eb94d17
                                                                    • Opcode Fuzzy Hash: a57645cea9b68ae554f35c52e8df31b64e95a771f4f97f8441a14ceefafee8ad
                                                                    • Instruction Fuzzy Hash: 4CC092303C5308BBE60061C6AD47F0F3E8CCB18E6EF101290B628692C285C2A4614459
                                                                    Function 03E15AB1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_dummy10,r10,00000000), ref: 03E15AC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_dummy10$r10
                                                                    • API String ID: 2030045667-767388957
                                                                    • Opcode ID: c557d4cc3177b253cf70eb4d432a10522d1e29a4ef28446ddd08a41807b50326
                                                                    • Instruction ID: 109ea68d939c6b74eea2b3ac43342d80df4547b7cb6184c82ff4e61c5ad4bfcc
                                                                    • Opcode Fuzzy Hash: c557d4cc3177b253cf70eb4d432a10522d1e29a4ef28446ddd08a41807b50326
                                                                    • Instruction Fuzzy Hash: B2C092303C4348BBE500A2C6AD47F0A3E8C8B1AF6AF102290B619692C284C1645104AA
                                                                    Function 03E15A11 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_GetExecutionsRemaining,n24,00000000), ref: 03E15A22
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_GetExecutionsRemaining$n24
                                                                    • API String ID: 2030045667-1110388601
                                                                    • Opcode ID: cdbd0cabbe99f009b34ed2ab044c7bf97f21d65a9db516b2bae99b1951fce620
                                                                    • Instruction ID: 390ca25351093c7bb23a63c87784d9adfb109e192f1c4fc06e05d0111e205e92
                                                                    • Opcode Fuzzy Hash: cdbd0cabbe99f009b34ed2ab044c7bf97f21d65a9db516b2bae99b1951fce620
                                                                    • Instruction Fuzzy Hash: 98C092303C530C7BE55071C6BC07F0A3A4C8B19F6AF412250BA2C6A6C248C1A85506D9
                                                                    Function 03E159D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_Validate,n21,00000000), ref: 03E159E2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_Validate$n21
                                                                    • API String ID: 2030045667-979743836
                                                                    • Opcode ID: 44663fecbe20112658fb8e246ec356c2414de05c3e735f7b58a47d6a63570ca7
                                                                    • Instruction ID: 97537934e2b00a59733176a7c05564327c4da3977b3f223bf61f6d765270dd85
                                                                    • Opcode Fuzzy Hash: 44663fecbe20112658fb8e246ec356c2414de05c3e735f7b58a47d6a63570ca7
                                                                    • Instruction Fuzzy Hash: 96C092383C4348BBE51161CAAD0BF8E3E5C8B88F3AF001260F6186A2D694C1645604A9
                                                                    Function 03E159B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_GetCompID,n20,00000000), ref: 03E159C2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_GetCompID$n20
                                                                    • API String ID: 2030045667-3257562162
                                                                    • Opcode ID: 93c31d86632b3e25deaed2dabe31af2fb102b4f91480f4c23b96d956f0d7b53e
                                                                    • Instruction ID: f39e64ae951986a47618f7084360748e8332cf7751b86977806236de959303be
                                                                    • Opcode Fuzzy Hash: 93c31d86632b3e25deaed2dabe31af2fb102b4f91480f4c23b96d956f0d7b53e
                                                                    • Instruction Fuzzy Hash: 1EC092393C438C7BE51161C6AC07F9A3A488B08F25F201260B6186A2E284D274654469
                                                                    Function 03E15991 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_GETTIME,n12,00000000), ref: 03E159A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_GETTIME$n12
                                                                    • API String ID: 2030045667-1554187331
                                                                    • Opcode ID: 52a29ebb7eb077ab4707e97ca3342107c65ce56242402767da81d7eec961955e
                                                                    • Instruction ID: a57b6750fde7e5060171916f8ba709c7b8c384f86bd946d5e2b872bdcf6f0e2e
                                                                    • Opcode Fuzzy Hash: 52a29ebb7eb077ab4707e97ca3342107c65ce56242402767da81d7eec961955e
                                                                    • Instruction Fuzzy Hash: 80C092303C4309BBE52062E6AC87F0B3E488B44E25F001290B618A92C288C164514459
                                                                    Function 03E15971 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_GETDATE,n11,00000000), ref: 03E15982
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_GETDATE$n11
                                                                    • API String ID: 2030045667-2921822694
                                                                    • Opcode ID: 4ca64da6553814a056eba3e89261be000a3fcf9cef11bbc5539be17290776e5c
                                                                    • Instruction ID: f866ebab7b3a2e80ebd203587f43c731ec0e2fac2ceca0c7cfe7eac9f47f82b5
                                                                    • Opcode Fuzzy Hash: 4ca64da6553814a056eba3e89261be000a3fcf9cef11bbc5539be17290776e5c
                                                                    • Instruction Fuzzy Hash: 1BC092343C43097BE51061C6AC47F0F3E4C8B04F65F001290B618A92C245C164520859
                                                                    Function 03E15951 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxA.USER32(00000000,WR_SEMCOUNT,n15,00000000), ref: 03E15962
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1924918994.0000000003E11000.00000040.00001000.00020000.00000000.sdmp, Offset: 03E11000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_3e11000_deactivate.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: WR_SEMCOUNT$n15
                                                                    • API String ID: 2030045667-3457385132
                                                                    • Opcode ID: 69caa1de32c1b4a80334faa1c51b4149a7bfdb857ce9f99e26f66e72b03da998
                                                                    • Instruction ID: 80d45bcf94d3fd962a419ef537d0018d14ea05d7950bc6f70dee0e752f045817
                                                                    • Opcode Fuzzy Hash: 69caa1de32c1b4a80334faa1c51b4149a7bfdb857ce9f99e26f66e72b03da998
                                                                    • Instruction Fuzzy Hash: D4C092303C4308BBE52061C6AC47F1B3E488B08E25F0032A0B618A9EC344C164511459