Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi

Overview

General Information

Sample name:WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
renamed because original name is a hash value
Original sample name:WPS v76.23.66.msi
Analysis ID:1475158
MD5:8b1b9af08bc62e4608d21b5568c0a581
SHA1:acc808accbb6897da328a1def679b42e198bf9e0
SHA256:4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
Tags:msi
Infos:

Detection

FatalRAT, GhostRat, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6496 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6664 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2896 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding AF7A5A98FCE59EB21923DEC3642535A5 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FC7440F48901E81826ED2A23961C7067 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSI704E.tmp (PID: 6684 cmdline: "C:\Windows\Installer\MSI704E.tmp" /DontWait "C:\Users\user\AppData\Roaming\WPS.exe" MD5: B9545ED17695A32FACE8C3408A6A3553)
    • MSI706F.tmp (PID: 6340 cmdline: "C:\Windows\Installer\MSI706F.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe" MD5: B9545ED17695A32FACE8C3408A6A3553)
  • WPS.exe (PID: 7212 cmdline: "C:\Users\user\AppData\Roaming\WPS.exe" MD5: B52BA2B99108C496389AE5BB81FA6537)
    • WPS.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\WPS.exe" -upgradepower MD5: B52BA2B99108C496389AE5BB81FA6537)
  • thelper.exe (PID: 7224 cmdline: "C:\ProgramData\Microsoft\MF\thelper.exe" MD5: 17749F66292F190EF93652EB512C5AB7)
    • thelper.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\thelper.exe" MD5: 17749F66292F190EF93652EB512C5AB7)
  • thelper.exe (PID: 7232 cmdline: C:\ProgramData\Microsoft\MF\thelper.exe MD5: 17749F66292F190EF93652EB512C5AB7)
  • thelper.exe (PID: 7272 cmdline: C:\ProgramData\Microsoft\MF\thelper.exe MD5: 17749F66292F190EF93652EB512C5AB7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
      00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
          00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.thelper.exe.31c0000.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              8.2.thelper.exe.31c0000.6.unpackJoeSecurity_NitolYara detected NitolJoe Security
                8.2.thelper.exe.31c0000.6.unpackMALWARE_Win_FatalRATDetects FatalRATditekSHen
                • 0x20c46:$x1: XXAcQbcXXfRSScR
                • 0x20a70:$s1: CHROME_NO_DATA
                • 0x20a80:$s1: CHROME_NO_DATA
                • 0x20a90:$s1: CHROME_NO_DATA
                • 0x20aa0:$s2: CHROME_UNKNOW
                • 0x20ab0:$s2: CHROME_UNKNOW
                • 0x20ac0:$s2: CHROME_UNKNOW
                • 0x20ad0:$s2: CHROME_UNKNOW
                • 0x20ae0:$s2: CHROME_UNKNOW
                • 0x20af0:$s2: CHROME_UNKNOW
                • 0x20b00:$s2: CHROME_UNKNOW
                • 0x20b10:$s2: CHROME_UNKNOW
                • 0x20b20:$s2: CHROME_UNKNOW
                • 0x20d68:$s3: -Thread running...
                • 0x21c2c:$s4: InetCpl.cpl,ClearMyTracksByProcess
                • 0x20b8e:$s5: MSAcpi_ThermalZoneTemperature
                • 0x20cf0:$s6: taskkill /f /im rundll32.exe
                • 0x21cf0:$s7: del /s /f %appdata%\Mozilla\Firefox
                • 0x222a4:$s8: \\%s\C$\
                • 0x20a44:$s9: fnGetChromeUserInfo
                • 0x20e1c:$s10: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                9.2.thelper.exe.2cc0000.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  9.2.thelper.exe.2cc0000.6.unpackJoeSecurity_NitolYara detected NitolJoe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Msiexec Initiated Connection
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 54.224.49.0, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2896, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

                    Snort Signatures

                    Timestamp:07/17/24-17:10:19.103117
                    SID:2849814
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/17/24-17:10:19.103117
                    SID:2849813
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Suricata Signatures

                    Timestamp:2024-07-17T17:10:24.358485+0200
                    SID:2840787
                    Source Port:49741
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-07-17T17:10:19.276636+0200
                    SID:2849814
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-17T17:10:19.276636+0200
                    SID:2849813
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-17T17:10:19.276636+0200
                    SID:2848122
                    Source Port:49733
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Misc activity

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Yara detected FatalRAT
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.2% probability
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d563f2eb-3
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll2\Debug\Dll2.pdb source: thelper.exe, 00000007.00000002.1798443711.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000008.00000002.1794970185.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000009.00000002.1787878704.000000006C19E000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll6\Debug\Dll6.pdb source: thelper.exe, 00000007.00000002.1801136745.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, thelper.exe, 00000008.00000002.1796688584.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, thelper.exe, 00000009.00000002.1796619824.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, mt.dll.1.dr
                    Source: Binary string: wininet.pdb source: shi5E8D.tmp.2.dr
                    Source: Binary string: msvcr90.i386.pdb source: msvcr90.dll.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLLuaRuntime\XLLuaRuntime.pdb source: thelper.exe, 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmp, thelper.exe, 00000008.00000002.1788918364.0000000010031000.00000002.00000001.01000000.0000000C.sdmp, thelper.exe, 00000009.00000002.1782523120.0000000000F01000.00000002.00000001.01000000.0000000C.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI704E.tmp, 00000004.00000000.1763370399.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI704E.tmp, 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI706F.tmp, 00000005.00000000.1764144098.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, MSI706F.tmp, 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr
                    Source: Binary string: atl90.i386.pdb source: thelper.exe, 00000007.00000002.1801688962.000000006C981000.00000020.00000001.01000000.0000000A.sdmp, thelper.exe, 00000008.00000002.1797050469.000000006C981000.00000020.00000001.01000000.0000000A.sdmp, thelper.exe, 00000009.00000002.1797063230.000000006C981000.00000020.00000001.01000000.0000000A.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLUE\XLUE.pdb| source: thelper.exe, 00000007.00000002.1795613339.00000000101B8000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000008.00000002.1786695817.0000000001568000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000009.00000002.1785152260.00000000101B8000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: d3d12.pdbUGP source: shi5FD6.tmp.2.dr
                    Source: Binary string: E:\project\svn_3rd_source\sqlite-amalgamation-3071100\sqlitedll\Release\sqlite3.pdb source: sqlite3.dll.1.dr
                    Source: Binary string: E:\project\svn_3rd_source\sqlite-amalgamation-3071100\sqlitedll\Release\sqlite3.pdbQh source: sqlite3.dll.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbH' source: thelper.exe, 00000009.00000002.1783012666.0000000001253000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbz source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI5C5C.tmp.1.dr, 5559f9.msi.1.dr, MSI5D0A.tmp.1.dr
                    Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: e:\Work\Thunder\xl8_client\thunder\src\BrowserSupport\pdb\ProductRelease\BrowserSupport.pdb source: thelper.exe, 00000007.00000000.1768993886.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000007.00000003.1774208611.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000002.1785928209.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000000.1770305223.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000002.1782793760.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000000.1771983142.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 0000000C.00000000.1780060388.000000000086F000.00000002.00000001.01000000.00000013.sdmp, thelper.exe.1.dr
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll2\Debug\Dll2.pdb( source: thelper.exe, 00000007.00000002.1798443711.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000008.00000002.1794970185.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000009.00000002.1787878704.000000006C19E000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLFSIO\XLFSIO.pdb source: thelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI6CD3.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI6BB7.tmp.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLUE\XLUE.pdb source: thelper.exe, 00000007.00000002.1795613339.00000000101B8000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000008.00000002.1786695817.0000000001568000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000009.00000002.1785152260.00000000101B8000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll1\KSMDYH-DLL\Dll1.pdb source: thelper.exe, 00000007.00000002.1799731429.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp, thelper.exe, 00000008.00000002.1796020662.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp, thelper.exe, 00000009.00000002.1795835586.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbHn source: thelper.exe, 00000008.00000002.1787044398.00000000016C3000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbH source: thelper.exe, 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\project\svn_3rd_source\XML\bin\libexpat.pdb source: thelper.exe, 00000007.00000002.1796864841.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000008.00000002.1789246295.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000009.00000002.1786563464.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, libexpat.dll.1.dr
                    Source: Binary string: d3d12.pdb source: shi5FD6.tmp.2.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdb source: thelper.exe, 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmp, thelper.exe, 00000008.00000002.1787044398.00000000016C3000.00000002.00000001.01000000.0000000D.sdmp, thelper.exe, 00000009.00000002.1783012666.0000000001253000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: wininet.pdbUGP source: shi5E8D.tmp.2.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: e:\project\svn_3rd_source\XML\bin\libexpat.pdblA source: thelper.exe, 00000007.00000002.1796864841.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000008.00000002.1789246295.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000009.00000002.1786563464.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, libexpat.dll.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI5C5C.tmp.1.dr, 5559f9.msi.1.dr, MSI5D0A.tmp.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI704E.tmp, 00000004.00000000.1763370399.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI704E.tmp, 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI706F.tmp, 00000005.00000000.1764144098.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, MSI706F.tmp, 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr
                    Source: Binary string: H:\rc_v11_personal_20221122_branch\Build\Release\WPSOffice\office6\addons\konlinesetup\konlinesetup.pdb source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeFile opened: c:Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A6B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00A6B02D
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001AB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_001AB02D
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F89398 PathFileExistsW,FindFirstFileW,FindClose,7_2_00F89398
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F97450 __EH_prolog3_GS,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z,??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@_W@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z,FindFirstFileW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,FindClose,7_2_00F97450
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F89407 GetFileAttributesExW,FindFirstFileW,FindClose,CreateFileW,GetFileSizeEx,CloseHandle,7_2_00F89407
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F9766D __EH_prolog3,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z,??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z,memset,_swprintf,_swprintf,FindFirstFileW,DeleteFileW,_wcsicmp,_wcsicmp,memset,_swprintf,RemoveDirectoryW,_wcsicmp,memset,_swprintf,_swprintf,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,7_2_00F9766D

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2849814 ETPRO MALWARE TakeMyFile User-Agent 192.168.2.4:49733 -> 54.224.49.0:80
                    Source: TrafficSnort IDS: 2849813 ETPRO MALWARE TakeMyFile Installer Checkin 192.168.2.4:49733 -> 54.224.49.0:80
                    Source: global trafficHTTP traffic detected: POST /api/v1/link HTTP/1.1Host: downloader.wps.cnAccept: */*Client-Type: loader-pcClient-Chan: 10.1.xxxxClient-Ver: 1.0.0Client-Lang: zhContent-Type: application/jsonAuthorization: WPS:yqW282sr:YzhiYWY3ZjA1NWE5MGNmOWY2YzUyYjgzNjMyMjczNDUyMmQ5ZjMwZA==Date: Wed, 17 Jul 2024 16:40:47 GMTContent-Md5: ZmUyMDdjYmZiOTFiZmIyMjQxOGZhNWNhZjU1ODgxZGY=Content-Length: 151
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 185Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsondw-protocol: 1.0Content-Length: 889Host: shuc-pc-snow.ksord.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: global trafficHTTP traffic detected: POST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonContent-Length: 120Host: dw-online.ksosoft.com
                    Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F9B852 recv,WSAGetLastError,?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,IsBadCodePtr,?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z,7_2_00F9B852
                    Source: global trafficDNS traffic detected: DNS query: collect.installeranalytics.com
                    Source: global trafficDNS traffic detected: DNS query: dw-online.ksosoft.com
                    Source: global trafficDNS traffic detected: DNS query: shuc-pc-snow.ksord.com
                    Source: global trafficDNS traffic detected: DNS query: downloader.wps.cn
                    Source: unknownHTTP traffic detected: POST /api/v1/link HTTP/1.1Host: downloader.wps.cnAccept: */*Client-Type: loader-pcClient-Chan: 10.1.xxxxClient-Ver: 1.0.0Client-Lang: zhContent-Type: application/jsonAuthorization: WPS:yqW282sr:YzhiYWY3ZjA1NWE5MGNmOWY2YzUyYjgzNjMyMjczNDUyMmQ5ZjMwZA==Date: Wed, 17 Jul 2024 16:40:47 GMTContent-Md5: ZmUyMDdjYmZiOTFiZmIyMjQxOGZhNWNhZjU1ODgxZGY=Content-Length: 151
                    Source: shi5E8D.tmp.2.drString found in binary or memory: http://.css
                    Source: shi5E8D.tmp.2.drString found in binary or memory: http://.jpg
                    Source: thelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://SVP7.NET:9874/AnyDesk.exe
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://collect.installeranalytics.com
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                    Source: thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://dw-collect-debug.ksord.com)
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com
                    Source: WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/Ut
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v1/app/dynamicUrldnsParseIpserverTimegzipSizesplitSize
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.8.16dcsdk_eventv3.dbdcsdk_dpv3.datadcsdk_cfg.
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000441C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686
                    Source: WPS.exe, 0000000D.00000003.1833564279.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1833908101.0000000004441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686$)DR
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686%
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686.
                    Source: WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686/
                    Source: WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36860
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36863
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36868
                    Source: WPS.exe, 0000000D.00000003.1833872908.000000000441F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686:
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686F
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686O
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686P
                    Source: WPS.exe, 0000000D.00000003.1913366269.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914405477.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686Q
                    Source: WPS.exe, 0000000D.00000003.1833872908.000000000441F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686U
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686Y
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686c
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686i
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686t
                    Source: WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686u
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686z
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686~
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/TEM32
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c3686
                    Source: WPS.exe, 0000000D.00000003.1826993237.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881962006.0000000004411000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c368612.2019
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c3686b
                    Source: WPS.exe, 00000006.00000003.1783487971.0000000001368000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783467220.0000000001361000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785170879.0000000001369000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dw-online.ksosoft.compDa
                    Source: WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://event.4wps.net
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://event.4wps.nethttps://event.wps.comtELAPSE_UPDATE_DYNAMIC_PARAM_MINELAPSE_UPDATE_DYNAMIC_PARA
                    Source: shi5E8D.tmp.2.drString found in binary or memory: http://html4/loose.dtd
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, WPS.exe.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, WPS.exe.1.dr, 5559f9.msi.1.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                    Source: thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://s.symcd.com06
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                    Source: WPS.exe, 0000000D.00000003.1833756944.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000444F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000444A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827440740.000000000444E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ks
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com
                    Source: WPS.exe, 0000000D.00000003.1809492594.0000000004469000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2962702524.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)
                    Source: WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)7
                    Source: WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com);B
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)Ct
                    Source: WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)EB
                    Source: WPS.exe, 0000000D.00000003.1809611089.000000000444E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)e
                    Source: WPS.exe, 0000000D.00000003.1881718056.0000000004455000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000444E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)q
                    Source: WPS.exe, 0000000D.00000003.1833756944.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827656785.0000000004453000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827440740.000000000444E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com)t
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com/
                    Source: WPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com/NB
                    Source: WPS.exe, 0000000D.00000003.1881330582.000000000443C000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1833564279.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000443B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.com:80/=
                    Source: WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shuc-pc-snow.ksord.comot
                    Source: thelper.exeString found in binary or memory: http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=1
                    Source: thelper.exe, 00000007.00000000.1768993886.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000007.00000003.1774208611.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000002.1785928209.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000000.1770305223.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000002.1782793760.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000000.1771983142.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 0000000C.00000000.1780060388.000000000086F000.00000002.00000001.01000000.00000013.sdmp, thelper.exe.1.drString found in binary or memory: http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=1instdirSOFTWARE
                    Source: thelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://svp7.net:9874/UltraViewer.exe
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://t2.symcb.com0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784375869.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784186465.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784463304.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784540865.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: thelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll-DeleteNoRemoveForceRemoveValBDMS
                    Source: thelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.3
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wps.cn/privacy/privacyprotect2
                    Source: WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: https://collect.installeranalytics.com
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: WPS.exe, 00000006.00000003.1770673509.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770770886.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770958115.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770721164.0000000001393000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770911106.0000000001399000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1770837654.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784303099.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784093714.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784125821.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784349858.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784155851.0000000000DED000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1784256439.0000000000E01000.00000004.00000020.00020000.00000000.sdmp, WPS.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://downloader.wps.cn/api/v1/link
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://downloader.wps.cn/api/v1/link/api/v1/linkloader-pc10.1.xxxx1.0.0zhapplication/json%02xWPS:%s
                    Source: WPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://event.wps.com
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://event.wps.comr
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://get.wps.cn/feedback/pc
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://get.wps.cn/feedback/pchttps://official-package.wpscdn.cn/wps/download/WPS_Setup.exe1test
                    Source: WPS.exe, 0000000D.00000003.1913366269.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000446B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1915053692.000000000444A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914405477.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000444F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://official-package.wpscdn.cn/wps/download/WPS_Setup_15319.exe
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wps.cn/privacy/useragreement
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443

                    E-Banking Fraud

                    barindex
                    Yara detected FatalRAT
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                    Source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                    Source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPEMatched rule: Detects FatalRAT Author: ditekSHen
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5559f9.msiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BCE.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C5C.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C7C.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D0A.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D97.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6950.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6990.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A9A.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6ABB.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B0A.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BB7.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BB8.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C74.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CD3.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI704E.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI706F.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI70BE.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI5BCE.tmpJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A36A504_2_00A36A50
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A6F0324_2_00A6F032
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A692A94_2_00A692A9
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5C2CA4_2_00A5C2CA
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5E2704_2_00A5E270
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A684BD4_2_00A684BD
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5A5874_2_00A5A587
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A3C8704_2_00A3C870
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A549204_2_00A54920
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5A9154_2_00A5A915
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A60A484_2_00A60A48
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A39CC04_2_00A39CC0
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A65D6D4_2_00A65D6D
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_00176A505_2_00176A50
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001AF0325_2_001AF032
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019E2705_2_0019E270
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001A92A95_2_001A92A9
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019C2CA5_2_0019C2CA
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001A84BD5_2_001A84BD
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019A5875_2_0019A587
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0017C8705_2_0017C870
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019A9155_2_0019A915
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001949205_2_00194920
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001A0A485_2_001A0A48
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_00179CC05_2_00179CC0
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001A5D6D5_2_001A5D6D
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E740F07_2_00E740F0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E420007_2_00E42000
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EA61907_2_00EA6190
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E601607_2_00E60160
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E442807_2_00E44280
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E9E3E07_2_00E9E3E0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E443637_2_00E44363
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E5A3407_2_00E5A340
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E6C3307_2_00E6C330
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E564707_2_00E56470
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E765F07_2_00E765F0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E446B87_2_00E446B8
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E5E7607_2_00E5E760
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EB47307_2_00EB4730
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EA49A07_2_00EA49A0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EC49607_2_00EC4960
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E6E9707_2_00E6E970
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E56A407_2_00E56A40
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E58A307_2_00E58A30
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EB4B307_2_00EB4B30
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E5ACA07_2_00E5ACA0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E8CC707_2_00E8CC70
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E48C507_2_00E48C50
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E44C307_2_00E44C30
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E90C307_2_00E90C30
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E76C107_2_00E76C10
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E74DA07_2_00E74DA0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E5CE207_2_00E5CE20
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4AE0B7_2_00E4AE0B
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E470907_2_00E47090
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E570207_2_00E57020
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E611407_2_00E61140
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4B3CA7_2_00E4B3CA
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E454507_2_00E45450
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E636C07_2_00E636C0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E8B6A07_2_00E8B6A0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E5B6007_2_00E5B600
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E757607_2_00E75760
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E879D07_2_00E879D0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EC39A07_2_00EC39A0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EA59107_2_00EA5910
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E41AF07_2_00E41AF0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E43A007_2_00E43A00
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E63B287_2_00E63B28
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E41C407_2_00E41C40
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E93DD07_2_00E93DD0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E75ED07_2_00E75ED0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E41E507_2_00E41E50
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F81A707_2_00F81A70
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F94A807_2_00F94A80
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F951FE7_2_00F951FE
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F955A17_2_00F955A1
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F93FFB7_2_00F93FFB
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00FEC1437_2_00FEC143
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00FEC2FA7_2_00FEC2FA
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00FEC3E37_2_00FEC3E3
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00FEC4AF7_2_00FEC4AF
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: String function: 00A5325F appears 103 times
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: String function: 00A53292 appears 66 times
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: String function: 00A53790 appears 39 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00F8E734 appears 80 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00FD65B0 appears 31 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00F8E79D appears 107 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00ECF250 appears 32 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00FE2BC0 appears 39 times
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: String function: 00ECF1A0 appears 51 times
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: String function: 0019325F appears 103 times
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: String function: 00193790 appears 39 times
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: String function: 00193292 appears 66 times
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameviewer.exeF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameaischeduler.dllF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                    Source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                    Source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                    Source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_FatalRAT author = ditekSHen, description = Detects FatalRAT
                    Source: shi5E8D.tmp.2.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
                    Source: classification engineClassification label: mal100.troj.evad.winMSI@17/62@4/4
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F970CA __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetDiskFreeSpaceExW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,7_2_00F970CA
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A33860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,4_2_00A33860
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A34BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,4_2_00A34BA0
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A345B0 LoadResource,LockResource,SizeofResource,4_2_00A345B0
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\v76.23.66Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WPS.exeJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeMutant created: \Sessions\1\BaseNamedObjects\xl8.browserSupport.mutexId
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\KOnlinesetupOnlineStoreMutexNew_EF472A88-E1D0-44DF-B44E-FF5186E43ADC
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\{7B585BD5-8E73-4058-B7DF-F46EE9AB43BC}KDCSDK_RESTORE_LOCK_MUTEXc61d70264a276dce577f59ab220eb5d6
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\{7B585BD5-8E73-4058-B7DF-F46EE9AB43BC}KDCSDK_SEND_DEVICE_INFO_MUTEX
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\KdcDBGlobalMutexC:_Users_user_AppData_Roaming_kingsoft_wps_dcsdk_dcsdk_eventv3.db
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\_KHDIDMGR_3E67DFEF-DF4E-4CC6-9413-5F71C7C96C04
                    Source: C:\Users\user\AppData\Roaming\WPS.exeMutant created: \Sessions\1\BaseNamedObjects\{7B585BD5-8E73-4058-B7DF-F46EE9AB43BC}other1721229014106_7412
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF53F1EB06D587FA2C.TMPJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM groups limit 60;CASE
                    Source: sqlite3.dll.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: sqlite3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: sqlite3.dll.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM groups limit 60;NARY
                    Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM groups limit 60;
                    Source: sqlite3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: sqlite3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM groups limit 60;RIM
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: sqlite3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: sqlite3.dll.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi"
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7A5A98FCE59EB21923DEC3642535A5
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC7440F48901E81826ED2A23961C7067 E Global\MSI0000
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI704E.tmp "C:\Windows\Installer\MSI704E.tmp" /DontWait "C:\Users\user\AppData\Roaming\WPS.exe"
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI706F.tmp "C:\Windows\Installer\MSI706F.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WPS.exe "C:\Users\user\AppData\Roaming\WPS.exe"
                    Source: unknownProcess created: C:\ProgramData\Microsoft\MF\thelper.exe "C:\ProgramData\Microsoft\MF\thelper.exe"
                    Source: unknownProcess created: C:\ProgramData\Microsoft\MF\thelper.exe C:\ProgramData\Microsoft\MF\thelper.exe
                    Source: unknownProcess created: C:\ProgramData\Microsoft\MF\thelper.exe C:\ProgramData\Microsoft\MF\thelper.exe
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess created: C:\Users\user\AppData\Local\thelper.exe "C:\Users\user\AppData\Local\thelper.exe"
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess created: C:\Users\user\AppData\Roaming\WPS.exe "C:\Users\user\AppData\Roaming\WPS.exe" -upgradepower
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7A5A98FCE59EB21923DEC3642535A5Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC7440F48901E81826ED2A23961C7067 E Global\MSI0000Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI704E.tmp "C:\Windows\Installer\MSI704E.tmp" /DontWait "C:\Users\user\AppData\Roaming\WPS.exe"Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI706F.tmp "C:\Windows\Installer\MSI706F.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"Jump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess created: C:\Users\user\AppData\Local\thelper.exe "C:\Users\user\AppData\Local\thelper.exe" Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\Installer\MSI706F.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Installer\MSI706F.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Installer\MSI706F.tmpSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\Installer\MSI706F.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Installer\MSI706F.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlue.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlluaruntime.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlluaruntime.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libexpat.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libpng13.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: zlib1.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mt.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: ic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: slc.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlue.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlluaruntime.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libexpat.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libpng13.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: zlib1.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mt.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: ic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlue.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlluaruntime.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlgraphic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlluaruntime.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libexpat.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: libpng13.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: xlfsio2.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: zlib1.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mt.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: ic.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: mfc42.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\tracking.iniJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msiStatic file information: File size 9958912 > 1048576
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll2\Debug\Dll2.pdb source: thelper.exe, 00000007.00000002.1798443711.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000008.00000002.1794970185.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000009.00000002.1787878704.000000006C19E000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll6\Debug\Dll6.pdb source: thelper.exe, 00000007.00000002.1801136745.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, thelper.exe, 00000008.00000002.1796688584.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, thelper.exe, 00000009.00000002.1796619824.000000006C51F000.00000002.00000001.01000000.00000011.sdmp, mt.dll.1.dr
                    Source: Binary string: wininet.pdb source: shi5E8D.tmp.2.dr
                    Source: Binary string: msvcr90.i386.pdb source: msvcr90.dll.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLLuaRuntime\XLLuaRuntime.pdb source: thelper.exe, 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmp, thelper.exe, 00000008.00000002.1788918364.0000000010031000.00000002.00000001.01000000.0000000C.sdmp, thelper.exe, 00000009.00000002.1782523120.0000000000F01000.00000002.00000001.01000000.0000000C.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI704E.tmp, 00000004.00000000.1763370399.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI704E.tmp, 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI706F.tmp, 00000005.00000000.1764144098.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, MSI706F.tmp, 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr
                    Source: Binary string: atl90.i386.pdb source: thelper.exe, 00000007.00000002.1801688962.000000006C981000.00000020.00000001.01000000.0000000A.sdmp, thelper.exe, 00000008.00000002.1797050469.000000006C981000.00000020.00000001.01000000.0000000A.sdmp, thelper.exe, 00000009.00000002.1797063230.000000006C981000.00000020.00000001.01000000.0000000A.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLUE\XLUE.pdb| source: thelper.exe, 00000007.00000002.1795613339.00000000101B8000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000008.00000002.1786695817.0000000001568000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000009.00000002.1785152260.00000000101B8000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: d3d12.pdbUGP source: shi5FD6.tmp.2.dr
                    Source: Binary string: E:\project\svn_3rd_source\sqlite-amalgamation-3071100\sqlitedll\Release\sqlite3.pdb source: sqlite3.dll.1.dr
                    Source: Binary string: E:\project\svn_3rd_source\sqlite-amalgamation-3071100\sqlitedll\Release\sqlite3.pdbQh source: sqlite3.dll.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbH' source: thelper.exe, 00000009.00000002.1783012666.0000000001253000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbz source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI5C5C.tmp.1.dr, 5559f9.msi.1.dr, MSI5D0A.tmp.1.dr
                    Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: e:\Work\Thunder\xl8_client\thunder\src\BrowserSupport\pdb\ProductRelease\BrowserSupport.pdb source: thelper.exe, 00000007.00000000.1768993886.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000007.00000003.1774208611.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000002.1785928209.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000000.1770305223.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000002.1782793760.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000000.1771983142.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 0000000C.00000000.1780060388.000000000086F000.00000002.00000001.01000000.00000013.sdmp, thelper.exe.1.dr
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll2\Debug\Dll2.pdb( source: thelper.exe, 00000007.00000002.1798443711.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000008.00000002.1794970185.000000006C19E000.00000002.00000001.01000000.00000012.sdmp, thelper.exe, 00000009.00000002.1787878704.000000006C19E000.00000002.00000001.01000000.00000012.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLFSIO\XLFSIO.pdb source: thelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmp
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI6CD3.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI6BB7.tmp.1.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLUE\XLUE.pdb source: thelper.exe, 00000007.00000002.1795613339.00000000101B8000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000008.00000002.1786695817.0000000001568000.00000002.00000001.01000000.00000008.sdmp, thelper.exe, 00000009.00000002.1785152260.00000000101B8000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Administrator\source\repos\Dll1\KSMDYH-DLL\Dll1.pdb source: thelper.exe, 00000007.00000002.1799731429.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp, thelper.exe, 00000008.00000002.1796020662.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp, thelper.exe, 00000009.00000002.1795835586.000000006C2BF000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbHn source: thelper.exe, 00000008.00000002.1787044398.00000000016C3000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdbH source: thelper.exe, 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: e:\project\svn_3rd_source\XML\bin\libexpat.pdb source: thelper.exe, 00000007.00000002.1796864841.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000008.00000002.1789246295.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000009.00000002.1786563464.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, libexpat.dll.1.dr
                    Source: Binary string: d3d12.pdb source: shi5FD6.tmp.2.dr
                    Source: Binary string: e:\work\xunlei_uiengine\pdb\ProductRelease\XLGraphic\XLGraphic.pdb source: thelper.exe, 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmp, thelper.exe, 00000008.00000002.1787044398.00000000016C3000.00000002.00000001.01000000.0000000D.sdmp, thelper.exe, 00000009.00000002.1783012666.0000000001253000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: wininet.pdbUGP source: shi5E8D.tmp.2.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.dr
                    Source: Binary string: e:\project\svn_3rd_source\XML\bin\libexpat.pdblA source: thelper.exe, 00000007.00000002.1796864841.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000008.00000002.1789246295.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, thelper.exe, 00000009.00000002.1786563464.0000000021D5D000.00000002.00000001.01000000.0000000B.sdmp, libexpat.dll.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI5C5C.tmp.1.dr, 5559f9.msi.1.dr, MSI5D0A.tmp.1.dr
                    Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI704E.tmp, 00000004.00000000.1763370399.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI704E.tmp, 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmp, MSI706F.tmp, 00000005.00000000.1764144098.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, MSI706F.tmp, 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmp, WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr
                    Source: Binary string: H:\rc_v11_personal_20221122_branch\Build\Release\WPSOffice\office6\addons\konlinesetup\konlinesetup.pdb source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmp
                    Source: shi5FD6.tmp.2.drStatic PE information: 0x96D7AA59 [Sat Mar 12 16:44:09 2050 UTC]
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F869A0 luaL_checkudata,luaL_checknumber,LoadLibraryW,GetProcAddress,7_2_00F869A0
                    Source: XLFSIO.dll.1.drStatic PE information: real checksum: 0x0 should be: 0xec728
                    Source: MSI6B0A.tmp.1.drStatic PE information: real checksum: 0xceae6 should be: 0xcc7bd
                    Source: MSI6950.tmp.1.drStatic PE information: real checksum: 0xceae6 should be: 0xcc7bd
                    Source: ic.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x1a1418
                    Source: MSI6990.tmp.1.drStatic PE information: real checksum: 0xceae6 should be: 0xcc7bd
                    Source: thelper.exe.1.drStatic PE information: real checksum: 0x3e346 should be: 0x3b000
                    Source: MSI70BE.tmp.1.drStatic PE information: real checksum: 0xceae6 should be: 0xcc7bd
                    Source: mt.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x189f70
                    Source: MSI5BCE.tmp.1.drStatic PE information: real checksum: 0xceae6 should be: 0xcc7bd
                    Source: thelper.exe.7.drStatic PE information: real checksum: 0x3e346 should be: 0x3b000
                    Source: libexpat.dll.1.drStatic PE information: section name: .textbss
                    Source: mt.dll.1.drStatic PE information: section name: .textbss
                    Source: mt.dll.1.drStatic PE information: section name: .msvcjmc
                    Source: mt.dll.1.drStatic PE information: section name: .00cfg
                    Source: XLFSIO.dll.1.drStatic PE information: section name: .00cfg
                    Source: XLFSIO2.dll.1.drStatic PE information: section name: .uestat
                    Source: XLGraphic.dll.1.drStatic PE information: section name: .uestat
                    Source: XLLuaRuntime.dll.1.drStatic PE information: section name: .uestat
                    Source: XLUE.dll.1.drStatic PE information: section name: .uestat
                    Source: XLUE.dll.1.drStatic PE information: section name: .uestr
                    Source: ic.dll.1.drStatic PE information: section name: .textbss
                    Source: ic.dll.1.drStatic PE information: section name: .msvcjmc
                    Source: ic.dll.1.drStatic PE information: section name: .00cfg
                    Source: shi5E8D.tmp.2.drStatic PE information: section name: .wpp_sf
                    Source: shi5E8D.tmp.2.drStatic PE information: section name: .didat
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5323C push ecx; ret 4_2_00A5324F
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019323C push ecx; ret 5_2_0019324F
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00ED1079 push ecx; ret 7_2_00ED108C
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F8E7D3 push ecx; ret 7_2_00F8E7E6
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F8E931 push ecx; ret 7_2_00F8E944
                    Source: msvcr90.dll.1.drStatic PE information: section name: .text entropy: 6.92063892456726
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1

                    Persistence and Installation Behavior

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI706F.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI704E.tmpJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI704E.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C5C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\libpng13.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLGraphic.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6ABB.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\thelper.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLUE.dllJump to dropped file
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeFile created: C:\Users\user\AppData\Local\thelper.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI70BE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CD3.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLFSIO.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BB8.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BCE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D97.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WPS.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C7C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6990.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\libexpat.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLLuaRuntime.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\zlib1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\mt.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C74.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D0A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\msvcp90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A9A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6950.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\sqlite3.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi5E8D.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\msvcr90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\atl90.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi5FD6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI706F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\ic.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B0A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLFSIO2.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\libpng13.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\libexpat.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLLuaRuntime.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLGraphic.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\zlib1.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\mt.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\msvcp90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\thelper.exeJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLUE.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\sqlite3.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\msvcr90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\atl90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLFSIO.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\ic.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\MF\XLFSIO2.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI704E.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BCE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D97.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C5C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5C7C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6990.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6ABB.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C74.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5D0A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6950.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A9A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI70BE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI706F.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CD3.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6B0A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6BB8.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\WPS.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\WPS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00ECFF40 rdtsc 7_2_00ECFF40
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5D97.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5BCE.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5C5C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5C7C.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6990.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6ABB.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6C74.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5D0A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MF\msvcp90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A9A.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6950.tmpJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi5E8D.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MF\sqlite3.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MF\msvcr90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MF\atl90.dllJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI70BE.tmpJump to dropped file
                    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi5FD6.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CD3.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6BB8.tmpJump to dropped file
                    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6B0A.tmpJump to dropped file
                    Source: C:\Windows\Installer\MSI706F.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-32958
                    Source: C:\Windows\Installer\MSI704E.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-32798
                    Source: C:\Windows\Installer\MSI704E.tmpAPI coverage: 6.3 %
                    Source: C:\Windows\Installer\MSI706F.tmpAPI coverage: 6.6 %
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeAPI coverage: 2.7 %
                    Source: C:\Users\user\AppData\Roaming\WPS.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A6B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00A6B02D
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001AB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,5_2_001AB02D
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F89398 PathFileExistsW,FindFirstFileW,FindClose,7_2_00F89398
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F97450 __EH_prolog3_GS,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z,??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@_W@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z,FindFirstFileW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,FindClose,7_2_00F97450
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F89407 GetFileAttributesExW,FindFirstFileW,FindClose,CreateFileW,GetFileSizeEx,CloseHandle,7_2_00F89407
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F9766D __EH_prolog3,??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z,??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z,??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z,memset,_swprintf,_swprintf,FindFirstFileW,DeleteFileW,_wcsicmp,_wcsicmp,memset,_swprintf,RemoveDirectoryW,_wcsicmp,memset,_swprintf,_swprintf,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ,7_2_00F9766D
                    Source: WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: =sRADVAPI32.dllAcquireSRWLockExclusiveReleaseSRWLockExclusiveROOT\CIMV2SELECT * FROM Win32_DiskDriveWQLSerialNumberModelFirmwareRevision\\.\PhysicalDrive%dIphlpapi.dllGetAdaptersInfoSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}CharacteristicsComponentIdPCIXENNetCfgInstanceId%02X-%02X-%02X-%02X-%02X-%02X|_KHDIDMGR_3E67DFEF-DF4E-4CC6-9413-5F71C7C96C04InfoHDtInfoHD|
                    Source: 5559f9.msi.1.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
                    Source: thelper.exe, 00000007.00000002.1784973615.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XXAcQbcXXfRSScRKernel32.dllCreateToolhelp32SnapshotKernel32.dllCreateToolhelp32SnapshotHARDWARE\DESCRIPTION\System\BIOS\SystemManufacturerVMWAREtaskkill /f /im rundll32.exeDisableLockWorkstationSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemSVP7-Thread running...
                    Source: thelper.exe, 00000007.00000002.1784973615.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: thelper.exe, 00000007.00000002.1784973615.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y[
                    Source: WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914796126.0000000004413000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1915053692.0000000004414000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881962006.0000000004415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .PADbad bufferbad AllocateROOT\WMISELECT * FROM MSAcpi_ThermalZoneTemperatureWQLCurrentTemperature\\.\PhysicalDrive0VMware ToolsVMware
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Tools
                    Source: WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914796126.0000000004413000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1915053692.0000000004414000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881962006.0000000004415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
                    Source: thelper.exe, 00000008.00000002.1786046067.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%
                    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_7-71612
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00ECFF40 rdtsc 7_2_00ECFF40
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A3D0A5 IsDebuggerPresent,OutputDebugStringW,4_2_00A3D0A5
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F869A0 luaL_checkudata,luaL_checknumber,LoadLibraryW,GetProcAddress,7_2_00F869A0
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A62DCC mov ecx, dword ptr fs:[00000030h]4_2_00A62DCC
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A6AD78 mov eax, dword ptr fs:[00000030h]4_2_00A6AD78
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001AAD78 mov eax, dword ptr fs:[00000030h]5_2_001AAD78
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001A2DCC mov ecx, dword ptr fs:[00000030h]5_2_001A2DCC
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A32310 GetProcessHeap,4_2_00A32310
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI704E.tmp "C:\Windows\Installer\MSI704E.tmp" /DontWait "C:\Users\user\AppData\Roaming\WPS.exe"Jump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A533A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00A533A8
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A5353F SetUnhandledExceptionFilter,4_2_00A5353F
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A52968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00A52968
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A56E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00A56E1B
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_001933A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_001933A8
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_0019353F SetUnhandledExceptionFilter,5_2_0019353F
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_00192968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00192968
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: 5_2_00196E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00196E1B
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00ED068E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_00ED068E
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F8E222 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_00F8E222
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00F8EACA SetUnhandledExceptionFilter,7_2_00F8EACA
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A352F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,4_2_00A352F0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeProcess created: C:\Users\user\AppData\Local\thelper.exe "C:\Users\user\AppData\Local\thelper.exe" Jump to behavior
                    Source: thelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: thelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Progman
                    Source: thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .lnk1200.exerun.exe\1234UltraViewerhttp://svp7.net:9874/UltraViewer.exe\UltraViewer.exeuv_x64.exeUI0Detect.exeUltraViewer_Service.exeUltraViewer_Desktop.exeunins000.exeUltraViewer UninstallButtonUltraViewer UninstallButtoniexplore.exeuvh.dlliexplore.exeAnyDesk.exe\http://SVP7.NET:9874/AnyDesk.exe\AnyDesk.exe\\.\PHYSICALDRIVE0SeShutdownPrivilegeProgmanProgmanShell_TrayWnd
                    Source: thelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ButtonShell_TrayWnd
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A535A9 cpuid 4_2_00A535A9
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: EnumSystemLocalesW,4_2_00A6E0C6
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: EnumSystemLocalesW,4_2_00A6E1AC
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: EnumSystemLocalesW,4_2_00A67132
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: EnumSystemLocalesW,4_2_00A6E111
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00A6E237
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoEx,4_2_00A523F8
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoW,4_2_00A6E48A
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00A6E5B3
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoW,4_2_00A676AF
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetLocaleInfoW,4_2_00A6E6B9
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00A6E788
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: EnumSystemLocalesW,5_2_001AE0C6
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: EnumSystemLocalesW,5_2_001AE111
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: EnumSystemLocalesW,5_2_001A7132
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: EnumSystemLocalesW,5_2_001AE1AC
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_001AE237
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoEx,5_2_001923F8
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoW,5_2_001AE48A
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_001AE5B3
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoW,5_2_001AE6B9
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetLocaleInfoW,5_2_001A76AF
                    Source: C:\Windows\Installer\MSI706F.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_001AE788
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WPS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A537D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00A537D5
                    Source: C:\Windows\Installer\MSI704E.tmpCode function: 4_2_00A67B1F GetTimeZoneInformation,4_2_00A67B1F
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E7C130 memset,GetVersionExW,7_2_00E7C130
                    Source: C:\Users\user\AppData\Roaming\WPS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FatalRAT
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    Yara detected GhostRat
                    Source: Yara matchFile source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    Yara detected Nitol
                    Source: Yara matchFile source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected FatalRAT
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    Yara detected GhostRat
                    Source: Yara matchFile source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    Yara detected Nitol
                    Source: Yara matchFile source: 8.2.thelper.exe.31c0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.thelper.exe.2cc0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.thelper.exe.1130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: thelper.exe PID: 7272, type: MEMORYSTR
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E50060 XL_DrawSinglelineText,XL_ClipSubBindBitmap,XL_ReleaseBitmap,7_2_00E50060
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E501C0 XL_DrawMultilineText,XL_ClipSubBindBitmap,XL_ReleaseBitmap,7_2_00E501C0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E661C0 XL_ClipSubBindBitmap,XL_CloneBitmap,XL_ReleaseBitmap,7_2_00E661C0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E66130 XL_BindExpRect,XL_BindExpRect,7_2_00E66130
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E662B0 XL_ClipSubBindBitmap,XL_ReleaseBitmap,7_2_00E662B0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E50320 XL_PaintTexture,XL_ClipSubBindBitmap,OffsetRect,OffsetRect,OffsetRect,XL_ReleaseBitmap,XL_ReleaseBitmap,7_2_00E50320
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EC6640 XL_BindExpRect,7_2_00EC6640
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EC6610 XL_BindExpObject,7_2_00EC6610
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00EC6890 XL_BindRectExpRect,7_2_00EC6890
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E78AF0 XL_GetBitmapInfo,XL_ClipSubBindBitmap,IntersectRect,OffsetRect,XL_ClipSubBindBitmap,XL_ReleaseBitmap,XL_ReleaseBitmap,7_2_00E78AF0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E78D90 XL_ClipSubBindBitmap,OffsetRect,IsRectEmpty,OffsetRect,OffsetRect,XL_ReleaseBitmap,7_2_00E78D90
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4F2B0 XL_BindMaskSource,7_2_00E4F2B0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4F780 XL_CreateBindBitmapEx,7_2_00E4F780
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4F720 XL_CreateBindBitmap,7_2_00E4F720
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4F8B0 XL_Blend,XL_ClipSubBindBitmap,OffsetRect,XL_ReleaseBitmap,XL_ReleaseBitmap,7_2_00E4F8B0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E65850 XL_GetBitmapInfo,IntersectRect,OffsetRect,XL_ClipSubBindBitmap,XL_ReleaseBitmap,7_2_00E65850
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4FA10 XL_FillBlend,XL_ClipSubBindBitmap,OffsetRect,XL_ReleaseBitmap,XL_ReleaseBitmap,7_2_00E4FA10
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4FB70 XL_StretchBlend,XL_ClipSubBindBitmap,OffsetRect,OffsetRect,OffsetRect,XL_ReleaseBitmap,XL_ReleaseBitmap,7_2_00E4FB70
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E65CD0 XL_ReleaseBitmap,XL_ClipSubBindBitmap,7_2_00E65CD0
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E65D10 XL_BindRectExpRect,7_2_00E65D10
                    Source: C:\ProgramData\Microsoft\MF\thelper.exeCode function: 7_2_00E4DF00 XL_ClipSubBindBitmap,7_2_00E4DF00

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		2
                    Disable or Modify Tools                    		OS Credential Dumping2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory11
                    Peripheral Device Discovery                    		Remote Desktop ProtocolData from Removable Media11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
                    Process Injection                    		31
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Software Packing                    		NTDS146
                    System Information Discovery                    		Distributed Component Object ModelInput Capture3
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials351
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    File Deletion                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                    Masquerading                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Modify Registry                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475158 Sample: WPS#U529e#U516c#U8f6f#U4ef6... Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 54 collect.installeranalytics.com 2->54 56 shuc-pc-snow.ksord.com 2->56 58 3 other IPs or domains 2->58 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected FatalRAT 2->64 66 3 other signatures 2->66 7 msiexec.exe 12 63 2->7         started        11 thelper.exe 2 2->11         started        13 WPS.exe 2 1 2->13         started        15 3 other processes 2->15 signatures3 process4 file5 36 C:\Windows\Installer\MSI706F.tmp, PE32 7->36 dropped 38 C:\Windows\Installer\MSI704E.tmp, PE32 7->38 dropped 40 C:\Users\user\AppData\Roaming\WPS.exe, PE32 7->40 dropped 44 29 other files (1 malicious) 7->44 dropped 70 Drops executables to the windows directory (C:\Windows) and starts them 7->70 17 msiexec.exe 64 7->17         started        22 msiexec.exe 4 7->22         started        24 MSI704E.tmp 7->24         started        26 MSI706F.tmp 7->26         started        42 C:\Users\user\AppData\Local\thelper.exe, PE32 11->42 dropped 72 Found API chain indicative of debugger detection 11->72 28 thelper.exe 11->28         started        74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->74 30 WPS.exe 4 11 13->30         started        signatures6 process7 dnsIp8 46 collect.installeranalytics.com 54.224.49.0, 49733, 80 AMAZON-AESUS United States 17->46 32 C:\Users\user\AppData\Local\...\shi5FD6.tmp, PE32 17->32 dropped 34 C:\Users\user\AppData\Local\...\shi5E8D.tmp, PE32 17->34 dropped 68 Query firmware table information (likely to detect VMs) 17->68 48 dw-online.ksosoft.com 116.181.3.214, 49734, 49735, 80 UNICOM-CNChinaUnicomIPnetworkCN China 30->48 50 klbv2.wpsdns.com 119.3.210.249, 443, 49743 HWCSNETHuaweiCloudServicedatacenterCN China 30->50 52 shuc-pc-snow.ksord.com 110.249.194.76, 49736, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 30->52 file9 signatures10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\Microsoft\MF\XLFSIO.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\XLFSIO2.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\XLGraphic.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\XLLuaRuntime.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\XLUE.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\atl90.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\ic.dll4%ReversingLabs
                    C:\ProgramData\Microsoft\MF\libexpat.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\libpng13.dll3%ReversingLabs
                    C:\ProgramData\Microsoft\MF\msvcp90.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\msvcr90.dll0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\sqlite3.dll5%ReversingLabs
                    C:\ProgramData\Microsoft\MF\thelper.exe0%ReversingLabs
                    C:\ProgramData\Microsoft\MF\zlib1.dll8%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\shi5E8D.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\shi5FD6.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\thelper.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\WPS.exe4%ReversingLabs
                    C:\Windows\Installer\MSI5BCE.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI5C5C.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI5C7C.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI5D0A.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI5D97.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6950.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6990.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6A9A.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6ABB.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6B0A.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6BB8.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6C74.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI6CD3.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI704E.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI706F.tmp0%ReversingLabs
                    C:\Windows\Installer\MSI70BE.tmp0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://ocsp.thawte.com00%URL Reputationsafe
                    http://collect.installeranalytics.com0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/TEM320%Avira URL Cloudsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    https://www.thawte.com/cps0/0%URL Reputationsafe
                    https://www.wps.cn/privacy/useragreement0%Avira URL Cloudsafe
                    https://www.thawte.com/repository0W0%URL Reputationsafe
                    https://get.wps.cn/feedback/pchttps://official-package.wpscdn.cn/wps/download/WPS_Setup.exe1test0%Avira URL Cloudsafe
                    https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://shuc-pc-snow.ksord.com)70%Avira URL Cloudsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    https://official-package.wpscdn.cn/wps/download/WPS_Setup_15319.exe0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686%0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)e0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36860%Avira URL Cloudsafe
                    http://www.wps.cn/privacy/privacyprotect20%Avira URL Cloudsafe
                    http://event.4wps.net0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)EB0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)Ct0%Avira URL Cloudsafe
                    https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
                    https://get.wps.cn/feedback/pc0%Avira URL Cloudsafe
                    http://SVP7.NET:9874/AnyDesk.exe0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c3686b0%Avira URL Cloudsafe
                    http://www.winimage.com/zLibDll1.2.30%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.8.16dcsdk_eventv3.dbdcsdk_dpv3.datadcsdk_cfg.0%Avira URL Cloudsafe
                    https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic0%Avira URL Cloudsafe
                    http://collect.installeranalytics.com/0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/Ut0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.comot0%Avira URL Cloudsafe
                    https://www.advancedinstaller.com0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com:80/=0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com);B0%Avira URL Cloudsafe
                    http://event.4wps.nethttps://event.wps.comtELAPSE_UPDATE_DYNAMIC_PARAM_MINELAPSE_UPDATE_DYNAMIC_PARA0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ks0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.compDa0%Avira URL Cloudsafe
                    http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=1instdirSOFTWARE0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686u0%Avira URL Cloudsafe
                    http://html4/loose.dtd0%Avira URL Cloudsafe
                    https://downloader.wps.cn/api/v1/link/api/v1/linkloader-pc10.1.xxxx1.0.0zhapplication/json%02xWPS:%s0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v1/app/dynamicUrldnsParseIpserverTimegzipSizesplitSize0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686t0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686z0%Avira URL Cloudsafe
                    http://.css0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686~0%Avira URL Cloudsafe
                    http://svp7.net:9874/UltraViewer.exe0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c368612.20190%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com/NB0%Avira URL Cloudsafe
                    https://downloader.wps.cn/api/v1/link0%Avira URL Cloudsafe
                    http://.jpg0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c368630%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com/0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686:0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c368680%Avira URL Cloudsafe
                    https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)0%Avira URL Cloudsafe
                    http://www.winimage.com/zLibDll-DeleteNoRemoveForceRemoveValBDMS0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686.0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686/0%Avira URL Cloudsafe
                    http://dw-collect-debug.ksord.com)0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c368600%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686F0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686$)DR0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)q0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/0%Avira URL Cloudsafe
                    http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=10%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686Y0%Avira URL Cloudsafe
                    https://collect.installeranalytics.com0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686Q0%Avira URL Cloudsafe
                    http://shuc-pc-snow.ksord.com)t0%Avira URL Cloudsafe
                    https://event.wps.comr0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686O0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686P0%Avira URL Cloudsafe
                    http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686c0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    collect.installeranalytics.com
                    		54.224.49.0
                    		truetrue
                      		unknown
                      dw-online.ksosoft.com
                      		116.181.3.214
                      		truefalse
                        		unknown
                        klbv2.wpsdns.com
                        		119.3.210.249
                        		truefalse
                          		unknown
                          shuc-pc-snow.ksord.com
                          		110.249.194.76
                          		truefalse
                            		unknown
                            downloader.wps.cn
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://collect.installeranalytics.com/true
                              • Avira URL Cloud: safe
                              		unknown
                              https://downloader.wps.cn/api/v1/linkfalse
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/TEM32WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://get.wps.cn/feedback/pchttps://official-package.wpscdn.cn/wps/download/WPS_Setup.exe1testWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.wps.cn/privacy/useragreementWPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://official-package.wpscdn.cn/wps/download/WPS_Setup_15319.exeWPS.exe, 0000000D.00000003.1913366269.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000446B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1915053692.000000000444A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914405477.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000444F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E65000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000441C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com)eWPS.exe, 0000000D.00000003.1809611089.000000000444E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://curl.se/docs/hsts.htmlWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686%WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com)7WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.urwpp.deDPleaseWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://collect.installeranalytics.comWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://event.4wps.netWPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.zhongyicts.com.cnWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.wps.cn/privacy/privacyprotect2WPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com)EBWPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.winimage.com/zLibDll1.2.3thelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://get.wps.cn/feedback/pcWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c3686bWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com)CtWPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.8.16dcsdk_eventv3.dbdcsdk_dpv3.datadcsdk_cfg.WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://SVP7.NET:9874/AnyDesk.exethelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://curl.se/docs/alt-svc.htmlWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comlWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalyticWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/UtWPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com:80/=WPS.exe, 0000000D.00000003.1881330582.000000000443C000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1833564279.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000443B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.comotWPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksWPS.exe, 0000000D.00000003.1833756944.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1913532163.000000000444F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000444A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827440740.000000000444E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.advancedinstaller.comWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com);BWPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://event.4wps.nethttps://event.wps.comtELAPSE_UPDATE_DYNAMIC_PARAM_MINELAPSE_UPDATE_DYNAMIC_PARAWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=1instdirSOFTWAREthelper.exe, 00000007.00000000.1768993886.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000007.00000003.1774208611.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000002.1785928209.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000008.00000000.1770305223.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000002.1782793760.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 00000009.00000000.1771983142.0000000000F9F000.00000002.00000001.01000000.00000007.sdmp, thelper.exe, 0000000C.00000000.1780060388.000000000086F000.00000002.00000001.01000000.00000013.sdmp, thelper.exe.1.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.compDaWPS.exe, 00000006.00000003.1783487971.0000000001368000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783467220.0000000001361000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000002.1785170879.0000000001369000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686uWPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://html4/loose.dtdshi5E8D.tmp.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersGWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686tWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686zWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/?WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/bTheWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://downloader.wps.cn/api/v1/link/api/v1/linkloader-pc10.1.xxxx1.0.0zhapplication/json%02xWPS:%sWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v1/app/dynamicUrldnsParseIpserverTimegzipSizesplitSizeWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://svp7.net:9874/UltraViewer.exethelper.exe, 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, thelper.exe, 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://.cssshi5E8D.tmp.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686~WPS.exe, 0000000D.00000002.2960709517.0000000000E3F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.comWPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com/NBWPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.typography.netDWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com:80/api/dynamicParam/v3/app/6561882c644c368612.2019WPS.exe, 0000000D.00000003.1826993237.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881962006.0000000004411000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000443B000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.thawte.com/ThawteTimestampingCA.crl0thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://.jpgshi5E8D.tmp.2.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36863WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com/WPS.exe, 0000000D.00000003.1810291236.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686:WPS.exe, 0000000D.00000003.1833872908.000000000441F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36868WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://curl.se/docs/http-cookies.htmlWPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://shuc-pc-snow.ksord.com)WPS.exe, 0000000D.00000003.1809492594.0000000004469000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2962702524.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.winimage.com/zLibDll-DeleteNoRemoveForceRemoveValBDMSthelper.exe, 00000007.00000002.1786560974.0000000001036000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000008.00000002.1787276109.0000000001776000.00000002.00000001.01000000.00000010.sdmp, thelper.exe, 00000009.00000002.1782646237.0000000000F36000.00000002.00000001.01000000.00000010.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686.WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://event.wps.comWPS.exe, 00000006.00000002.1785349047.0000000001382000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 00000006.00000003.1783285429.000000000137E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://ocsp.thawte.com0thelper.exe, 00000007.00000003.1774208611.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, thelper.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686/WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2963810700.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c36860WPS.exe, 0000000D.00000003.1914796126.000000000440A000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dw-collect-debug.ksord.com)WPS.exe, 00000006.00000002.1783748911.00000000000E1000.00000040.00000001.01000000.00000006.sdmp, WPS.exe, 0000000D.00000002.2958502407.00000000000E1000.00000040.00000001.01000000.00000006.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686FWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686$)DRWPS.exe, 0000000D.00000003.1833564279.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004441000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1833908101.0000000004441000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://collect.installeranalytics.comWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, 5559f9.msi.1.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686UWPS.exe, 0000000D.00000003.1833872908.000000000441F000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827603871.0000000004415000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1809611089.0000000004415000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnWPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686YWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://stat.download.xunlei.com:8080/?aid=1009&id=%d&peerid=%s&click=1thelper.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.thawte.com/cps0/WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://shuc-pc-snow.ksord.com)qWPS.exe, 0000000D.00000003.1881718056.0000000004455000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1881330582.000000000444E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/WPS.exe, 0000000D.00000003.1815264033.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.thawte.com/repository0WWPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi, MSI704E.tmp.1.dr, MSI6CD3.tmp.1.dr, MSI5C5C.tmp.1.dr, MSI6C74.tmp.1.dr, 5559f9.msi.1.dr, MSI706F.tmp.1.dr, MSI6BB7.tmp.1.dr, MSI5D0A.tmp.1.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686QWPS.exe, 0000000D.00000003.1913366269.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1914405477.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1815394137.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000002.2960709517.0000000000E65000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827340173.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://shuc-pc-snow.ksord.com)tWPS.exe, 0000000D.00000003.1833756944.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827656785.0000000004453000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1826993237.000000000444E000.00000004.00000020.00020000.00000000.sdmp, WPS.exe, 0000000D.00000003.1827440740.000000000444E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://event.wps.comrWPS.exe, 0000000D.00000002.2960709517.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686OWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686PWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8WPS.exe, 0000000D.00000002.2964697232.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/6561882c644c3686cWPS.exe, 0000000D.00000003.1809611089.000000000440A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  119.3.210.249
                                  		klbv2.wpsdns.comChina
                                  		55990HWCSNETHuaweiCloudServicedatacenterCNfalse
                                  116.181.3.214
                                  		dw-online.ksosoft.comChina
                                  		133119UNICOM-CNChinaUnicomIPnetworkCNfalse
                                  54.224.49.0
                                  		collect.installeranalytics.comUnited States
                                  		14618AMAZON-AESUStrue
                                  110.249.194.76
                                  		shuc-pc-snow.ksord.comChina
                                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1475158
                                  Start date and time:2024-07-17 17:09:11 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 15s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:19
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                                  renamed because original name is a hash value
                                  Original Sample Name:WPS v76.23.66.msi
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winMSI@17/62@4/4
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:
                                  • Successful, ratio: 62%
                                  • Number of executed functions: 26
                                  • Number of non-executed functions: 384
                                  Cookbook Comments:
                                  • Found application associated with file extension: .msi

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:10:14API Interceptor5x Sleep call for process: WPS.exe modified
                                  16:10:12Task SchedulerRun new task: user-PC path: C:\ProgramData\Microsoft\MF\thelper.exe
                                  16:10:12Task SchedulerRun new task: user-PC-2 path: C:\ProgramData\Microsoft\MF\thelper.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  collect.installeranalytics.com0cjB1Kh8zU.msiGet hashmaliciousUnknownBrowse
                                  • 54.165.254.88
                                  2ztvLMT477.msiGet hashmaliciousUnknownBrowse
                                  • 54.227.134.57
                                  ahx8PyqunR.msiGet hashmaliciousUnknownBrowse
                                  • 54.221.197.204
                                  speke.msiGet hashmaliciousUnknownBrowse
                                  • 54.165.34.233
                                  d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                  • 54.158.107.210
                                  d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                  • 54.158.107.210
                                  69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                  • 52.7.13.177
                                  w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                                  • 52.7.13.177
                                  69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                  • 52.7.13.177
                                  sq5W8v3VZV.exeGet hashmaliciousUnknownBrowse
                                  • 54.158.107.210

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  HWCSNETHuaweiCloudServicedatacenterCNbotx.mips.elfGet hashmaliciousMiraiBrowse
                                  • 124.71.66.9
                                  SRWlimL4k6.exeGet hashmaliciousCobaltStrikeBrowse
                                  • 124.71.36.234
                                  SRWlimL4k6.exeGet hashmaliciousCobaltStrikeBrowse
                                  • 124.71.36.234
                                  6o63snaetO.exeGet hashmaliciousUnknownBrowse
                                  • 139.9.43.12
                                  6o63snaetO.exeGet hashmaliciousUnknownBrowse
                                  • 139.9.35.91
                                  SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 121.37.199.72
                                  gw3yTM2uiZ.elfGet hashmaliciousMiraiBrowse
                                  • 139.9.27.39
                                  c2swVFiBVZ.elfGet hashmaliciousMiraiBrowse
                                  • 139.9.138.171
                                  IMG_00110724.exeGet hashmaliciousFormBookBrowse
                                  • 121.37.199.72
                                  SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                                  • 121.37.199.72
                                  UNICOM-CNChinaUnicomIPnetworkCN185.208.158.215-x86-2024-07-14T08_54_06.elfGet hashmaliciousUnknownBrowse
                                  • 120.54.109.21
                                  s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 106.74.102.53
                                  544fo2biO9.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 106.74.126.95
                                  CnqpVfDyUH.elfGet hashmaliciousMiraiBrowse
                                  • 106.74.151.42
                                  s8y4CBbFHW.elfGet hashmaliciousMiraiBrowse
                                  • 106.74.56.90
                                  SecuriteInfo.com.Trojan.Siggen23.13161.15240.4676.exeGet hashmaliciousPoisonivyBrowse
                                  • 120.52.183.129
                                  Xe3eO9R1Ra.elfGet hashmaliciousMiraiBrowse
                                  • 106.74.102.70
                                  uqGHhft2DO.elfGet hashmaliciousMiraiBrowse
                                  • 120.54.33.170
                                  SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exeGet hashmaliciousPoisonivyBrowse
                                  • 120.52.183.129
                                  SecuriteInfo.com.Trojan.Siggen17.35688.9477.7627.exeGet hashmaliciousUnknownBrowse
                                  • 120.52.95.247
                                  AMAZON-AESUShttps://inpeak.xyz/Get hashmaliciousUnknownBrowse
                                  • 44.212.246.194
                                  x86.elfGet hashmaliciousMiraiBrowse
                                  • 18.212.5.67
                                  arm7.elfGet hashmaliciousMiraiBrowse
                                  • 23.21.227.40
                                  https://u7161484.ct.sendgrid.net/ls/click?upn=u001.hSwgV93oKqJ8ZvQ-2F-2Bg69lRG3z5eH5AhV-2BJUjpvOnP47pFgt6vcHkzmMENxzqwp-2BRKeOD_zoLhCpkIy9Do8JtP-2BvPGbCKd-2BnnQhX22X7a9bdbWbCC5gFgFTIeDJ6cwijFzpwNISqmNkWsSGKxD-2FNSJjw0k1WplZHv6o0IxvsHmD61mU5ysV55-2B96DI72sCPsjm4NC818V0m0IM3im6ASY16u81LTenkvC-2FNvpnXD8McPjpGGauIb-2BM2U-2F5-2B1mP498QsMXa-2B6AhMNBfWHNfBJ5LHwc-2FEyMJR3z91eyiHhufIom4eLGOsOMu3-2Buvb1QWgf-2Fm28xUzJQB-2F0SFg3lJlq9Unc-2BGXVXdMHoo1zYap4ERXKPHz6fFTfg-2ByjNk2fx6gMZdF5wLdJ22iNNOIfJYnQmbrLKw8amK4pf2c0srhPNUjajemS3a0XAglQQfY-2FcnYJ8JCOteF8AXW7pHPGp1k6-2FUQvEbZwCojFrVmaSNpy4g9cIMi5Wb84VMjWDQkOvt1cLwqNYONTs-2FUB2VE3s9Hh05SQ7qgXlFKEeLNAjlDc8oLcdgcfk-3DGet hashmaliciousUnknownBrowse
                                  • 3.5.66.119
                                  https://u7161484.ct.sendgrid.net/ls/click?upn=u001.hSwgV93oKqJ8ZvQ-2F-2Bg69lRG3z5eH5AhV-2BJUjpvOnP47uzh2T1CKCZsAM0vhAdUI47WLZRLHbp0nZGfR-2F8WiTSw-3D-3DFKNC_zoLhCpkIy9Do8JtP-2BvPGbCKd-2BnnQhX22X7a9bdbWbCC5gFgFTIeDJ6cwijFzpwNISqmNkWsSGKxD-2FNSJjw0k1WplZHv6o0IxvsHmD61mU5ysV55-2B96DI72sCPsjm4NC818V0m0IM3im6ASY16u81LTenkvC-2FNvpnXD8McPjpGGauIb-2BM2U-2F5-2B1mP498QsMXa-2B6AhMNBfWHNfBJ5LHwc-2FEyMJR3z91eyiHhufIom4eLGOsOMu3-2Buvb1QWgf-2Fm28xUzJQB-2F0SFg3lJlq9Unc-2BGXVXdMHoo1zYap4ERXKPHz6eWGtoTBwyrUU9Pe5EWpAHMKw-2FmkMf-2FZqzwzxp6NZ5-2BmhlhChFLNLwKsCa-2F-2F11pJq78P2-2B7lv0W-2Fg16BvYyiRmGTE8uEeeeSyoRjaFkotfH-2Fw-2Ff7Lwf1l0eCoqAReiq0n82f3hl5klibAYhaJL8gD1m6Qn7H0Wu4jo84QkEjC0EIdszF8MNtqnVNqkm3DhB4Qg-3DGet hashmaliciousUnknownBrowse
                                  • 3.233.158.34
                                  https://u7161484.ct.sendgrid.net/ls/click?upn=u001.hSwgV93oKqJ8ZvQ-2F-2Bg69leIE994xSSqH5GRhtM9LxJzylLyMW1jQS6PNMKUTywQkgGBJbO1mHcNkyMZO2sZ7mwzJuAJ6NoVCfboOiycjoBmRmJ21uQ8d5ZLyjgcyftPoZbV0x6srcMnq4qnRbBu0O7jBwUV-2FDvozeHcLk6Xg-2Feg-3DwPJF_zoLhCpkIy9Do8JtP-2BvPGbCKd-2BnnQhX22X7a9bdbWbCC5gFgFTIeDJ6cwijFzpwNISqmNkWsSGKxD-2FNSJjw0k1WplZHv6o0IxvsHmD61mU5ysV55-2B96DI72sCPsjm4NC818V0m0IM3im6ASY16u81LTenkvC-2FNvpnXD8McPjpGGauIb-2BM2U-2F5-2B1mP498QsMXa-2B6AhMNBfWHNfBJ5LHwc-2FEyMJR3z91eyiHhufIom4eLGOsOMu3-2Buvb1QWgf-2Fm28xUzJQB-2F0SFg3lJlq9Unc-2BGXVXdMHoo1zYap4ERXKPHz6eBGax1u9Oya8RR2OEqVpFAzTGKLJpLw4mSSRnBENm6ouw3lgXwHAwc500czryRnrL8kAVH-2B-2BVilxLDi-2ByigxXjUWFgutNk8d1XKVELr-2Bc2f7Gx-2BYtM04qJvRxKQPDc6kwwnHhaO0xmjzDVh5wIL-2B0bUikk40nIqmHSaXtgmNSl6HzvQPXfDU3J0LLWIsgLi94-3DGet hashmaliciousUnknownBrowse
                                  • 3.5.70.110
                                  http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9scGet hashmaliciousPhisherBrowse
                                  • 3.212.220.243
                                  cc00980_.exeGet hashmaliciousUnknownBrowse
                                  • 54.158.232.70
                                  ziprar.exeGet hashmaliciousUnknownBrowse
                                  • 54.147.67.214
                                  https://1wv.ephypsyne.com/V50J/#ZGFuaWVsQHByZW1pZXItZXhwZXJ0cy5kZQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 44.212.226.157

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\ProgramData\Microsoft\MF\atl90.dllFirefox-x64.msiGet hashmaliciousUnknownBrowse
                                    https://www.glarysoft.com/aff/download.php?s=GUGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Config.Msi\5559fb.rbs

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):386512
                                      Entropy (8bit):6.4147516724434235
                                      Encrypted:false
                                      SSDEEP:6144:nBKwXYBWHRuEFW9RzLLhrUmdHDZ19MhVBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mhe:MaHRuEs3Xmm9DZEkaHRuEs3Xmm9DZEM
                                      MD5:CAA8225E7FEEFFAAB81721CDF30B1970
                                      SHA1:C732AD9D1A82CD123017E037A2DB40D067D7AD86
                                      SHA-256:2DC68FCE2E487CA30F776E8D5D2615DD99B21F0B997CF9F2FB9B84769625FF6F
                                      SHA-512:B4A44D97C6484351BCD0DF526181D8E81FB88A425E655C62CEADDB44FED38A513B75EB16661A15E71AF6D668FE027C0BF3332D1226DEED464514B66FF9BC1476
                                      Malicious:false
                                      Reputation:low
                                      Preview:...@IXOS.@.....@FY.X.@.....@.....@.....@.....@.....@......&.{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}..WPS Office v76.23.66).WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi.@.....@B..L.@.....@........&.{7DD8A22E-1308-45B2-86D0-5CB5038DFF9C}.....@.....@.....@.....@.......@.....@.....@.......@......WPS Office v76.23.66......Rollback...V.n.d\O:.....RollbackCleanup.. Rd..Y.N.e.N...e.N:. .[.1.]. .....ProcessComponents...f.e.~.N.l.Qh...&.{A19BE9EC-E940-4615-A9BA-832DC870C667}&.{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}.@........AI_RollbackTasks2...V.n,g0W...{:g.N.v.N.R...R...N.R.T:. .[.1.]. .L...AI_RollbackTasks2.@.-........MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@............

                                      C:\ProgramData\Microsoft\MF\Mi.jpg

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):203784
                                      Entropy (8bit):6.586947560295334
                                      Encrypted:false
                                      SSDEEP:3072:5TRmbICt25LZseWDzoPZ6WS6BLfvgaSlpcD+05fC:5VljSzkPDNGEfC
                                      MD5:75CBB4F1E63E245BD3462CAB5CB5BE2C
                                      SHA1:2961F8579ED879CDC1BD50DDE56C6441965818ED
                                      SHA-256:DEC9DF011A3EE5FB9A9544BDA976EEC41667F344BC0B3166392F4CFFFAF3F7C6
                                      SHA-512:F7620741CF450DA09981F8FC8449D79981490696B84B65F35354F5BE7D0D3A6ED6CE8A08334E50F5B9D81DDAAEBE30B4FDB6DA6FD8015B0270477D761E2EE642
                                      Malicious:false
                                      Reputation:low
                                      Preview:.....XU..............h....h....Rh}<8.P...............SUVWjkXjef..$....3.XjrYjn[jlZj3f..$....f..$....Xj2f..$....Xj.f..$....Xjdf..$....X..$.....l$4..$......$......$......$......$....f..$....f..$....f..$....f..$....f..$....f..$.....D$<S.T$=f.D$>ee.D$@pf.D$PLo.D$Ra.D$Sf.D$TLi.D$Vb.L$W.D$Xa.L$Yf.D$ZyAf.D$DVi.L$Ff.D$Gtu.D$Ia.T$J.D$KA.T$L.T$Mf.D$Nocf.D$\Vi.L$^f.D$_tu.D$aa.T$b.D$cP.L$d.D$eotec.D$it.$....F..$.....$....ushI..$....f.$....st..$.....$....ucti.$....ojeY..$.....L$m.L$t.L$y..$...........$.....$....Cach.D$lG.D$ntNatf.D$riv.D$uSystf.D$zmI.\$|f.D$}fof.$....Rt..$.....$....A..$......$....f.$....Fu..$.....$....ctio..$....f.$....Ta.$....b..$.....w.....A.^...k......$....j...$....Xf..$....f..$.....D$.P..$.....\$4PUU..j._.D$Df.|$..D$..D$4PU.D$.f.|$.P.t$(..j.Xf.D$.f.D$..D$\.D$...$....PU.D$.P.t$(..j.Xf.D$.f.D$...$.....D$...$....PU.D$.P.t$(..j.^.D$lf.t$..D$...$....PU.D$.f.t$.P.t$(..j.Xf.D$.f.D$..D$<.D$...$....PU.D$.P.t$(...$....f.t$..D$...$....PU.D$.f.t$.P.t$(..D$Pf.|$..D$...$....

                                      C:\ProgramData\Microsoft\MF\Microsoft.VC90.ATL.manifest

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):466
                                      Entropy (8bit):5.038556089104879
                                      Encrypted:false
                                      SSDEEP:12:TMHdtXBFN8u3/3XO5WSN4dKF+MVI4gVW/wnbEUyG:2dtXD+u/eVN40+MVI4gAwnhJ
                                      MD5:B41644A01C05740576B4E77662C7E86C
                                      SHA1:91D9A44EE27F321B8EB844709555E5CDA4D8D469
                                      SHA-256:A9A98FC7062262A47A1C0727339C760D18589B8549E4267762F7F4C88A103632
                                      SHA-512:C2B29CE13D2C84C4165196DF1A561B1DE35938F93714580B728A2FB2AF7C4606ABC410077645261250ABF73E66CCA64683715E3C3B1AAD6FDDFFDBAEFA8704A4
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright (c) Microsoft Corporation. All rights reserved. -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity.. type="win32".. name="Microsoft.VC90.ATL".. version="9.0.21022.8".. processorArchitecture="x86".. publicKeyToken="1fc8b3b9a1e18e3b".. />.. <file name="ATL90.dll" />..</assembly>..

                                      C:\ProgramData\Microsoft\MF\Microsoft.VC90.CRT.manifest

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1857
                                      Entropy (8bit):5.379091022433406
                                      Encrypted:false
                                      SSDEEP:48:3SlK+6g4R09kkKv/zRs009kkKazS4S0309kkKBzY:CltCRXkq/O0XkzOfKXk48
                                      MD5:4F9ED5EFA4F7B75BCFE0F36C36EE5CB6
                                      SHA1:29F568508A65F5177C6044544248893A876A666F
                                      SHA-256:FF718390133B400EE679177B2902BBB918DB148BBB4ABABA03D0A1DF325B3303
                                      SHA-512:A94AA869B8420D3965FAD7B05E1E894E8CA00465CD8C2BE2AC135F44D0689AFA7257BB468C69B7BB33BBB036D6B66FBC693C964BF17A85A209AEEE9F8DFFC3CD
                                      Malicious:false
                                      Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr90.dll" hashalg="SHA1" hash="e0dcdcbfcb452747da530fae6b000d47c8674671"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>KSaO8M0iCtPF6YEr79P1dZsnomY=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="81efe890e4ef2615c0bb4dda7b94bea177c86ebd"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig

                                      C:\ProgramData\Microsoft\MF\XLFSIO.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):921600
                                      Entropy (8bit):5.9232837087356875
                                      Encrypted:false
                                      SSDEEP:12288:Ewh/kGKUFSmBjrmdimavq3AIlbDpEYtlWKFRQQuuf8kn:r/0UFSyrmdimavvIppESlDg8
                                      MD5:A06090C5F2D3DF2CEDC51CC99E19E821
                                      SHA1:701AC97C2FD140464B234F666A0453D058C9FABF
                                      SHA-256:64FFDFFB82FC649E6847B3C4F8678D9CCA0D5117FA54C9ABBB746625D3FEEF89
                                      SHA-512:541804DB74A25FC5F50801F23B4D9F2BE788D3C95D3D23DD8098F4C8888D1FC808E6EB6959C458965C639EA28B594A87DFF7F3A89C4750C109B29B573C4535CF
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._..I............P......P......P.......).......).......)..\...P..........B.....................z.............Rich....................PE..L....Sf...........!...(.....V......|\.......................................p............@.........................P...0.......(.......<........................L......8...............................@............................................text...p........................... ..`.rdata..............................@..@.data....>.......$...~..............@....idata..............................@..@.00cfg..............................@..@.rsrc...<...........................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\XLFSIO2.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):214088
                                      Entropy (8bit):6.645761471364513
                                      Encrypted:false
                                      SSDEEP:6144:BGx1XQVx0mcFRq3uOFyXsTBqxQmsOy7YZSM:BaXQVx0mwA3uEQsTsxHVX
                                      MD5:1BC7AF7A8512CF79D4F0EFC5CB138CE3
                                      SHA1:68FD202D9380CACD2F8E0CE06D8DF1C03C791C5B
                                      SHA-256:EF474B18F89310C067A859D55ABD4E4F42FDAC732E49EAFE4246545E36872A62
                                      SHA-512:84DE4D193D22A305BE2BA28FC67BD1CCCF83616CEAD721E57347F1B2E0736D351FEF1ABF168F7914CAA1BCC7A72DB43769991016673CD4646DEF544802EE8960
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&..|b.m/b.m/b.m/../c.m/k../m.m/b.l/..m/k../j.m/k../z.m/k../Y.m/k../c.m/k../c.m/k../c.m/Richb.m/................PE..L......W...........!.....N..........K7.......`...............................P......)~..............................@.......t...d.......................H4... ......0b...............................................`...............................text....L.......N.................. ..`.rdata..3....`.......R..............@..@.data...............................@....uestat.l...........................@....rsrc...............................@..@.reloc..."... ...$..................@..B................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\XLGraphic.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):748104
                                      Entropy (8bit):6.750926609548472
                                      Encrypted:false
                                      SSDEEP:12288:YtFRL0ChvivVwOE5wOn2ML0TngpwBZuU2XvRAQfEWmd5eTU:YtFRL0ChvivVwOE5w20TnTuU2XvRABZN
                                      MD5:74C75AE5B97AD708DBE6F69D3A602430
                                      SHA1:A02764D99B44CE4B1D199EF0F8CE73431D094A6A
                                      SHA-256:89FBB6B1CA9168A452E803DBDC6343DB7C661AD70860A245D76B3B08830156E2
                                      SHA-512:52C5F7E00DFFB1C0719D18184DA2CC8EC2AD178B222775F167B87320F0683A3C2846E30190BC506F12D14C07FA45896935B3D4AC396BAA14D7564996E35C2ADA
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C&..C...C...C...C...C...C...C...C...C...C...C...C...CI..C...C...C...C.C...C...C...C...C...C...CRich...C........PE..L...#..W...........!................&........0......................................G.......................................<........0..,............6..H4...@..\-..03..............................h...@............0...............................text............................... ..`.rdata.......0......................@..@.data...............................@....uestat.@.... ......................@....rsrc...,....0......................@..@.reloc...9...@...:..................@..B................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\XLLuaRuntime.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):255048
                                      Entropy (8bit):6.644417096667236
                                      Encrypted:false
                                      SSDEEP:6144:bo/eYYpwVt0D0ihbv+52I5bwf3vXOboZRLkhGK4dhrrOyMTJ:bYeYYpMt0DZb25SvPRLYGvdp4J
                                      MD5:5362CB2EFE55C6D6E9B51849EC0706B2
                                      SHA1:D91ACBE95DEDC3BCAC7EC0051C04DDDDD5652778
                                      SHA-256:1D7519ACCA9C8A013C31AF2064FBC599A0B14CFD1DFB793A345FAB14045FED40
                                      SHA-512:DBD591C3D0B9847D9CEF59277C03EC89E246DB0E54B58FBBE9D492B75CDCB32D75444012CDFB1C77376D15DB7FDE1F74E694D2487C481CE29A2133342B91E1F5
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................{.)......*.......,.......!.....<.....;.....-......+...........Rich...................PE..L...?..W...........!................m................................................u..............................0v......Te..x.......\...............H4..........`...............................X@..@...............<............................text...l........................... ..`.rdata...|.......~..................@..@.data...\............t..............@....uestat.D............z..............@....rsrc...\............|..............@..@.reloc...'.......(..................@..B................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\XLUE.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):2561608
                                      Entropy (8bit):6.3415727262614014
                                      Encrypted:false
                                      SSDEEP:24576:IEaZQmfa1YLPVtw8zDhpau3PhP3jYs8XmUHX9vYPiVoy/Dnxjhvyz:IZuqPTXzDF/JMs8dHX9/VoyLnxjhv
                                      MD5:0ABBE96E1F7A254E23A80F06A1018C69
                                      SHA1:0B83322FD5E18C9DA8C013A0ED952CFFA34381AE
                                      SHA-256:10F099F68741C179D5AD60B226D15233BB02D73F84CE51A5BBBBC4EB6A08E9D4
                                      SHA-512:2924E1E11E11BD655F27EB0243F87002A50A2D4B80E0B0E3AD6FD4C3D75C44222FAB426FCAA695881B0093BABF544E8AEEE50A065EA92274145B0F88B1DB0C58
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...[...[...[. .....[.......[......[.......[.......[.......[...Z...[.......[.......[.......[.......[.Rich..[.................PE..L.....W...........!.....j...t...............................................`'......2'..............................!..+...[!.h.....%...............&.H4... %.8... ...................................@...............d............................text....i.......j.................. ..`.rdata...B.......D...n..............@..@.data.........!.......!.............@....uestat.......$.......$.............@....uestr........%.......$.............@..@.rsrc.........%.......$.............@..@.reloc...?... %..@....$.............@..B........................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\atl90.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):159032
                                      Entropy (8bit):6.5642092957903335
                                      Encrypted:false
                                      SSDEEP:3072:5HJXmwllbA995vqNRoom9OSft0osAZT/NX+cZSyh53Pa63CLZ/V:5pXmwzA99hsaN9Jt0osARB+cEybyV
                                      MD5:338F1F7137860D3BF6094941AC2A9BA2
                                      SHA1:EE174FC0F8CFFA3B5717EAF17C97713099D69AD7
                                      SHA-256:5122E4A2E48E34326B6267D48BD007DA76A15243B90550EA565F1654CCC64877
                                      SHA-512:DA9DD23BA13928F1623566D10CA155D2A06112844CD7AE8FF0DDB5B31624E7E7E59289AA2B7B7568DA4CEC0070CDDC925DADE8312501415ADE0F4CD411B554B2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: Firefox-x64.msi, Detection: malicious, Browse
                                      • Filename: , Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.92..j2..j2..j.j.j0..j,.gj"..j,.qjG..j.j.j1..j2..j..j,.vj...j,.`j3..j,.fj3..j,.cj3..jRich2..j........PE..L...AOYJ...........!.........~.......2.............x.................................v....@.........................p...........(....P..."...........V..8............................................[..@............................................text...@........................... ..`.data....0..........................@....rsrc...."...P...$..................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\ic.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1662976
                                      Entropy (8bit):5.6071102946447295
                                      Encrypted:false
                                      SSDEEP:12288:qAXAV394lax33Vfpt3lWLzmhM2hM4yVf5dljiiQuu+HXKBodAZXFdpliMfTglZzb:7wV3y433HtO2Whl4BodAZXdliMfElZz
                                      MD5:BB1197BEA58B158554FA3FA25866D1EA
                                      SHA1:CAE7F395ED42FA2DD3362F4C816FB678072FEB49
                                      SHA-256:20A04729FDD8E02E2FB5BE79AF130C364D0F3CE85E49478A6819A0A2020AE844
                                      SHA-512:F80B7669DA861400A5B5ADD8148B85CC62994819E3A3A2220475D7EC2FC31F70BC3C683D5A5D6043B319B428A0AC47B9B41201AEE7ABA5D5CC927A8556DD7B73
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 4%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8~..V-..V-..V-!.U,..V-!.S,v.V-!.R,..V-..U,..V-..S,..V-..R,..V-!.W,..V-..W-..V-n.S,..V-n.V,..V-n..-..V-...-..V-n.T,..V-Rich..V-................PE..L...4.vf...........!.....P...(......H........................................@#...........@.........................P.!.U....A".(....p".......................".@...@.!.8...........................x.!.@............@"..............................textbss.r...............................text....N.......P.................. ..`.rdata...............T..............@..@.data...d?...."..$...j..............@....idata..\....@".....................@..@.msvcjmcN....P".....................@....00cfg.......`".....................@..@.rsrc........p".....................@..@.reloc..N.....".....................@..B........................................................................................................................

                                      C:\ProgramData\Microsoft\MF\libexpat.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):684032
                                      Entropy (8bit):5.737753396210417
                                      Encrypted:false
                                      SSDEEP:12288:c4rJNmF1EymyCOf1Z4fJGtQse4XHIOEBeDbGp:c4KEymyC4kMtQe
                                      MD5:5FF790879AAB8078884EAAC71AFFEB4A
                                      SHA1:59352663FDCF24BB01C1F219410E49C15B51D5C5
                                      SHA-256:CCECA70F34BBCEC861A02C3700DE79EA17D80C0A7B9F33D7EDD1357A714E0F2F
                                      SHA-512:34FBAFFC48912E3D3FA2D224E001121E8B36F5BE7284A33EB31D306B9A5C00DE6E23A9FDC1A17A61FB1371768F0B0E30B9C6E899A08C735FC70482D5AA8EA824
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:qxD:qxD:qxD3..D.qxD3..D+qxD...D9qxD:qyDdqxD3..DIqxD3..D;qxD$#.D;qxD3..D;qxDRich:qxD........PE..L...C}.X...........!................@K.............!................................................................p...M....p..(...............................TJ..P................................................r...............................textbss. ...............................text........@...................... ..`.rdata...Y.......Z..................@..@.data...@8...0......................@....idata..~....p......................@....rsrc...............................@..@.reloc..gV.......X..................@..B........................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\libpng13.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):161280
                                      Entropy (8bit):6.302841870152543
                                      Encrypted:false
                                      SSDEEP:3072:xtGfTu0eJRrrVBbgSTftWgNYVkrlFW/m:xYAR1B5WgSVO
                                      MD5:BB1922DFBDD99E0B89BEC66C30C31B73
                                      SHA1:F7A561619C101BA9B335C0B3D318F965B8FC1DFB
                                      SHA-256:76457F38CBBDD3DCE078A40D42D9AC0DC26AE1C4BB68AB9C880EB7FFB400FD99
                                      SHA-512:3054574DD645FEB1468CEE53DB2FD456E4F923EAF5FD686557A01C72C0572B19D70F3885D47FE42E97CDF7CCC2C674A6E966FF19668907CF7828E0A943CF474A
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 3%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R..R..R..*i.R..*x.R....R..*o.R..R..R..*..R..*n.R...h.R..*m.R..Rich.R..........................PE..L...C}.X...........!.........`...............0.....!................................zS...............................b.......]..P....................................................................\..@............0...............................text............................... ..`.rdata...I...0...J..................@..@.data...l............`..............@....rsrc................b..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\msvcp90.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):568832
                                      Entropy (8bit):6.529348877830445
                                      Encrypted:false
                                      SSDEEP:12288:iUmYoJC//83zMHZg7/yToyvYXO84hUgiW6QR7t5C3Ooc8SHkC2eRZRzS:iUmYoO83W0y8yeO8L3Ooc8SHkC2e8
                                      MD5:6DE5C66E434A9C1729575763D891C6C2
                                      SHA1:A230E64E0A5830544A25890F70CE9C9296245945
                                      SHA-256:4F7ED27B532888CE72B96E52952073EAB2354160D1156924489054B7FA9B0B1A
                                      SHA-512:27EC83EE49B752A31A9469E17104ED039D74919A103B625A9250AC2D4D8B8601034D8B3E2FA87AADBAFBDB89B01C1152943E8F9A470293CC7D62C2EEFA389D2C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?..qQ.qQ.qQ..*.qQ.#..qQ.qP..qQ..>..qQ.#..qQ.#..qQ.#..qQ.#..qQ.#..qQ.#..qQ.Rich.qQ.................PE..L....=1G...........!.....$...p......B........@....Hx................................`.....@.........................@C......d8..<....p...................$......D2...................................$..@............................................text...!#.......$.................. ..`.data...h&...@.......(..............@....rsrc........p.......B..............@..@.reloc...B.......D...F..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\msvcr90.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):655872
                                      Entropy (8bit):6.890160476095281
                                      Encrypted:false
                                      SSDEEP:12288:whr4UCeaHTA80gIZ4BgmOEGVN9vtI0E5uO9FAOu8axTFmRyyrRzS:ga2g5gmO791I0E5uO9FANpmRyyg
                                      MD5:E7D91D008FE76423962B91C43C88E4EB
                                      SHA1:29268EF0CD220AD3C5E9812BEFD3F5759B27A266
                                      SHA-256:ED0170D3DE86DA33E02BFA1605EEC8FF6010583481B1C530843867C1939D2185
                                      SHA-512:C3D5DA1631860C92DECF4393D57D8BFF0C7A80758C9B9678D291B449BE536465BDA7A4C917E77B58A82D1D7BFC1F4B3BEE9216D531086659C40C41FEBCDCAE92
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...a...a...a..,....a...a...a...3)..`...3?.^a...3...a...38..a...3>..a...3;..a..Rich.a..................PE..L....=1G...........!.....Z..........@-.......p....Rx.........................0............@.........................`....|......(........................$.......3......................................@............................................text....X.......Z.................. ..`.data....g...p...D...^..............@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\mt.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1564672
                                      Entropy (8bit):5.612198501569935
                                      Encrypted:false
                                      SSDEEP:12288:16D0N87G0YhT5pUwy5Vk+s44iiguupiyeYUvUfVtBJ78XdmfOsKg0uozkiKj:JhtpUb8+5JibUfVtBJ7ImfOsKg9P
                                      MD5:9DED3FDFFB0FF7F62E6A0A7F996C0CAF
                                      SHA1:FCC959B28A32923CCDB1CA4E304C74A31DEDE929
                                      SHA-256:87AAB1DB611ADB132F503C08C32DC4EFC23C9216D97E918F7279F86920701C93
                                      SHA-512:A7E7CB96A78827B01E71C595CA0D106EAF7AFE35D4A548E5BECCF0B009CC02D33274822958DCA4998A427D8B4027EAEFE99B40B3648E24730C81DF34EAB32BA0
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........XR.V9<.V9<.V9<..A?.X9<..A9..9<..A8.B9<..?.E9<..8.F9<..9..9<..A=.U9<.V9=..9<.E.9.T9<.E...W9<.E.>.W9<.RichV9<.........PE..L...{..f...........!...(.....F..............................................p!...........@.................................. .(..... .&..................... ........8..............................@............. ..............................textbss.+...............................text........@...................... ..`.rdata...T.......V..................@..@.data....=...P ..$..................@....idata........ .....................@..@.msvcjmc...... ......<..............@....00cfg........ ......>..............@..@.rsrc...&..... ......@..............@..@.reloc........ ......D..............@..B................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\sqlite3.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):484352
                                      Entropy (8bit):6.775750589015898
                                      Encrypted:false
                                      SSDEEP:6144:oiEuCNzvQuHEXzGlTp1gm26Xwq1BaU1LchARlZvugIqLR7nfGJTaaSZjboondwwX:iuoQDXzGtpfAo46vsg7RLgTalZbdww
                                      MD5:36879056AD692B8FFD0AA8D4B8D95C6C
                                      SHA1:3835101B053FB37E40871C8E84341B7A0545F833
                                      SHA-256:FD1C5409E0B0E06C4D5AD793663800C20836CFED4BF9265AE6C5213878F58A1B
                                      SHA-512:CFAD7FDB3227E66F7460CAB670D2C99DDE119CA2090C8BB3AD467D9B3193CE470DA18D43C1E5CF266671DB47F841524C54F5E3481900F4499A2315876A850A5C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 5%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L{..L{..L{..E.\.N{..E.Z.@{..E.L.B{..E.K.N{..k...O{..L{..={..E.E.I{..E.].M{..R)[.M{..E.^.M{..RichL{..........PE..L...C}.X...........!.....`..........Ld.......p.....!.................................1....@.....................................<....P..h....................`...'...q..................................@............p..t............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data.... ... ......................@....rsrc...h....P......................@..@.reloc..,+...`...,...8..............@..B........................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\thelper.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):231896
                                      Entropy (8bit):6.608894718500493
                                      Encrypted:false
                                      SSDEEP:6144:gVjUqyblKOrj8xp2UTakqtkJ9qqD/l6DLxYOnHwjiY3DmzhIaZUNyF:Kj7ywi8xJTaP4Aqrl6JpYTUh5ZU+
                                      MD5:17749F66292F190EF93652EB512C5AB7
                                      SHA1:E2F651AA9D37404063FFC79E920787C9D3E71FDB
                                      SHA-256:0AA17EE66B8DAE520E82A94388B1A1D603EC2AED20C464D6CAC9A521D4167F24
                                      SHA-512:2EF192A191DC40A16C9B8768E749175C1A57319AB896809691EFFCC5DE61C4A38FD8A8388B8907A1985E505907A8529F4D10990E362831092C75DAFB8900B13E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.8...V...V...V.......V.......V.......V.8.;...V.......V.......V.8.-...V...W...V.......V.......V.......V.Rich..V.........................PE..L.....-U............................$.............@.................................F.....@..................................p..|....................n.......`...,..@................................5..@............................................text...^........................... ..`.rdata..\...........................@..@.data...............................@....rsrc...............................@..@.reloc..4?...`...@..................@..B................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\MF\zlib1.dll

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):63488
                                      Entropy (8bit):6.721700259681837
                                      Encrypted:false
                                      SSDEEP:768:5yiLYWSoXtIKCwH9Tu0eDVXeSE04rPRsPgt+ytSoUnToIf1AIOjIOyQH0L7ClW:D9dGwUDV7TP1nToIfeIOjIOyQH0LW
                                      MD5:37163AACC5534FBAB012FB505BE8D647
                                      SHA1:73DE6343E52180A24C74F4629E38A62ED8AD5F81
                                      SHA-256:0A6357A8852DAAAFE7AED300E2F7E69D993CAC4156E882BAA8A3A56B583255BA
                                      SHA-512:C3BED1C9BC58652ED16B162ED16A93CF7479A0492DB7E6EA577001DBE859AFFC0B20387D93D23E06E73F49F395E4C9A5A07680F000EBB82D32269742C16A5242
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 8%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................&......1......9...............6...... ......'......!......$.....Rich............................PE..L...C}.X...........!.........`....................g".........................0......GR..................................]...|...<.......(.................... .......................................................................................text.............................. ..`.rdata...J.......L..................@..@.data...............................@....rsrc...(...........................@..@.reloc..v.... ......................@..B................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\tracking.ini

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):4.0081320258334
                                      Encrypted:false
                                      SSDEEP:3:1EyEMyvn:1BEN
                                      MD5:6BC190DD42A169DFA14515484427FC8E
                                      SHA1:B53BD614A834416E4A20292AA291A6D2FC221A5E
                                      SHA-256:B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
                                      SHA-512:5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
                                      Malicious:false
                                      Preview:[General]..Active = true..

                                      C:\Users\user\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\{8AE698CD-4D24-4723-A62C-73BE1AFF81EE}.session

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):13424
                                      Entropy (8bit):5.41175569234046
                                      Encrypted:false
                                      SSDEEP:384:2uROmSsF/uhTvdgbZiSBAk17H9l7/K2hYwnz5BFPf25w/ZWhrRL:2uRnSsF/uhTvdgbZiSBAk17dl7KOYwnq
                                      MD5:9FB82CAF11DA3DDB825D6BDB2671CCD8
                                      SHA1:72D7F187602D4AEE60189767C4FBDA5CF6087307
                                      SHA-256:5ABC52C3D08CBC17E4D8FB16F53CBC2C7412F3078BF68AF139BC44A7AC6FB668
                                      SHA-512:942A0DB7AFDD47D0E208A595C05090C4168B017BB833922AA858A7C0FADCC2333F6EC827209698CA9C3A01AEC1CED151EBB2916A32C709DD70F0DA6649DCCD62
                                      Malicious:false
                                      Preview:[Hit {5AD6EF52-D89E-40BF-9450-96963DEFD840}]..Queue Time = 0..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 6696c9562ff508bfba81ef0a..Application Version = 76.23.66..Client ID = 700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9..Session ID = {8AE698CD-4D24-4723-A62C-73BE1AFF81EE}....[Hit {639B4B68-6E6E-457B-A851-51B943D8A409}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 6696c9562ff508bfba81ef0a..Application Version = 76.23.66..Client ID = 700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9..Session ID = {8AE698CD-4D24-4723-A62C-73BE1AFF81EE}....[Hit {52F4FAD0-1222-4C23-AF9C-5754FEBD105D}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 6696c9562ff508bfba81ef0a..Application Version = 76.23.66..Client ID = 700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9..Session ID = {8AE698CD-4D24-4723-A62C-73BE1AFF81EE}....[Hit {F3351640-AB1C-4623-A214-A41C694876CB

                                      C:\Users\user\AppData\Local\Temp\shi5E8D.tmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4509696
                                      Entropy (8bit):6.100941182830929
                                      Encrypted:false
                                      SSDEEP:49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
                                      MD5:F6153E803F1533042AC7E6988237C2C3
                                      SHA1:DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
                                      SHA-256:F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
                                      SHA-512:7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\shi5FD6.tmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):83128
                                      Entropy (8bit):6.654653670108596
                                      Encrypted:false
                                      SSDEEP:1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
                                      MD5:125B0F6BF378358E4F9C837FF6682D94
                                      SHA1:8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
                                      SHA-256:E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
                                      SHA-512:B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\thelper.exe

                                      Download File
                                      Process:C:\ProgramData\Microsoft\MF\thelper.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):231896
                                      Entropy (8bit):6.608894718500493
                                      Encrypted:false
                                      SSDEEP:6144:gVjUqyblKOrj8xp2UTakqtkJ9qqD/l6DLxYOnHwjiY3DmzhIaZUNyF:Kj7ywi8xJTaP4Aqrl6JpYTUh5ZU+
                                      MD5:17749F66292F190EF93652EB512C5AB7
                                      SHA1:E2F651AA9D37404063FFC79E920787C9D3E71FDB
                                      SHA-256:0AA17EE66B8DAE520E82A94388B1A1D603EC2AED20C464D6CAC9A521D4167F24
                                      SHA-512:2EF192A191DC40A16C9B8768E749175C1A57319AB896809691EFFCC5DE61C4A38FD8A8388B8907A1985E505907A8529F4D10990E362831092C75DAFB8900B13E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.8...V...V...V.......V.......V.......V.8.;...V.......V.......V.8.-...V...W...V.......V.......V.......V.Rich..V.........................PE..L.....-U............................$.............@.................................F.....@..................................p..|....................n.......`...,..@................................5..@............................................text...^........................... ..`.rdata..\...........................@..@.data...............................@....rsrc...............................@..@.reloc..4?...`...@..................@..B................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\WPS.exe

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):3027728
                                      Entropy (8bit):7.856503406318228
                                      Encrypted:false
                                      SSDEEP:49152:sejRVM654Suz/Debm7vpElDBc4uN+C+LHseGi1pm2PfLwUA0EUEiXDSWqf16yag5:sejRVMDhe6yH1ugfHseGKtPDw50E1iTe
                                      MD5:B52BA2B99108C496389AE5BB81FA6537
                                      SHA1:9073D8C4A1968BE24357862015519F2AFECD833A
                                      SHA-256:C6AC7D9ADD40B913112B265D4F366D9EF80BBD711049DB085FC750FCAD4E14D8
                                      SHA-512:6637506EE80D359E729E0011B97E8D827E14356393193247F502B7FCFBBCA249DC045B8ACFE4B31CE462468F421DC5D9A4E31183BEDB66C45A9AA43C01F81397
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 4%
                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......q...5...5...5...n.......n........a/.<......&....../...n...4...n...4..........n.......n...6...5... ...........5...V...............4...5...7.......4...Rich5...........PE..L.....dc..................*.......,..ZW...,..`W...@..........................0Z......s....@.................................T-Z......`W.T.............-..H....Z..............................\W......\W.....................$PD.@...................UPX0......,.............................UPX1......*...,...*.................@....rsrc........`W.......*.............@......................................................................................................................................................................................................................................................................................................................................3.08.UPX!....

                                      C:\Users\user\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_dpv3.data

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\WPS.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):522
                                      Entropy (8bit):3.4213603631412406
                                      Encrypted:false
                                      SSDEEP:12:Dv3L/LOWMzgvWeqTQulhUbvfMVoK9aflRpZ/LOWMP0Ljt/LOWMfl:DTLOW2gOtTbhUbXMVoGabPLOWMcdLOWk
                                      MD5:ACE1930668BA1710863B78C8B3031002
                                      SHA1:17836DB4A389289D727AF7C55B9B70322CC03DFB
                                      SHA-256:EEEC360BDC1269555038AE09F7B716C8E39B5A99BD7781BF35D0A5D66E33765F
                                      SHA-512:5D11E50AE02DD12A3BE3CD1F2FA4589A1AE1D0C17A6AEFE06D458AF3844D3A8390D638553B62A583E568B0DAE788AB65391498EBCD47FE34EA6349F1C0A26F8E
                                      Malicious:false
                                      Preview:{.".u.p.l.o.a.d.S.t.r.a.t.e.g.y.".:.{.".v.e.r.s.i.o.n.".:.1.5.9.0.1.3.8.0.0.0.0.0.0.,.".t.r.a.n.s.p.o.r.t.C.o.n.t.r.o.l.".:.{.".s.p.l.i.t.S.i.z.e.".:.5.0.,.".g.z.i.p.S.i.z.e.".:.1.0.}.,.".u.p.l.o.a.d.C.o.n.d.i.t.i.o.n.s.".:.{.".t.i.m.e.I.n.t.e.r.v.a.l.".:.2.,.".c.u.m.u.l.a.t.i.v.e.".:.3.0.}.}.,.".s.e.n.d.U.r.l.s.".:.{.".v.e.r.s.i.o.n.".:.1.5.9.0.1.3.8.0.0.0.0.0.0.,.".u.r.l.s.".:.".(.h.t.t.p.:././.s.h.u.c.-.p.c.-.s.n.o.w...k.s.o.r.d...c.o.m.).".}.,.".e.v.e.n.t.s.".:.{.".v.e.r.s.i.o.n.".:.1.5.9.0.1.3.8.0.0.0.0.0.0.}.}.

                                      C:\Users\user\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_eventv3.db

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\WPS.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3034001, file counter 6, database pages 4, cookie 0x2, schema 4, UTF-16 little endian, version-valid-for 6
                                      Category:dropped
                                      Size (bytes):16384
                                      Entropy (8bit):0.9290823193781924
                                      Encrypted:false
                                      SSDEEP:48:TYbZiQGWIxBjv/CkSrVzVBhx5Jm/LbVjIBjvgstMIn:cZAjMvhw//VjI14sD
                                      MD5:ACB2A84B8C114D13C0DA20432450A354
                                      SHA1:F0F4CB153E9AA9C6B46C9A5917A7186666F021C4
                                      SHA-256:AEB34F1B898BD95CA365EB8E482003F368A3896641337AAB9D4F0A2A7E3F8B01
                                      SHA-512:38ECA166A1C31198DAA59FB4A5C4AF7B162C97808D6B30E302E7545C59BFA10B6559EDDC059FE218705B9828DF66CA45ADB9C6BE9CF13B79BC127B0675CE8C4B
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................K.......q......q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\kingsoft\wps\dcsdk\dcsdk_eventv3.db-journal

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\WPS.exe
                                      File Type:SQLite Rollback Journal
                                      Category:dropped
                                      Size (bytes):8720
                                      Entropy (8bit):0.6611159625904791
                                      Encrypted:false
                                      SSDEEP:12:7+tCDft0wNYDR/m34PnqLW24TgmgZkHhTy9Vb+ahgGXh9gRKe2PZkH+GwxQ4AW29:7+t+t0YAI4PqLh+bVChA+G63s
                                      MD5:5887CDFBEE32CB241F7B69DB650A8B82
                                      SHA1:F37766FA20ED55247D3234FFAA076DFF9357F834
                                      SHA-256:C21338DFF0F284FF766CE772681E8AE09942FDB1554D76E1770502C728F30466
                                      SHA-512:72721B743EF04B758994D8EF8453D0BBAD171E66901BACD209AFB25A8273A6F819CE2A2DDF918147F86AAF479A724927EFC0E9DD2D3A5C2B81F78EB10AD2F905
                                      Malicious:false
                                      Preview:.... .c.......)...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[..[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\5559f9.msi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7DD8A22E-1308-45B2-86D0-5CB5038DFF9C}, Number of Words: 2, Subject: WPS Office v76.23.66, Author: v76.23.66, Name of Creating Application: WPS Office v76.23.66, Template: ;2052, Comments: WPS Office v76.23.66 , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Category:dropped
                                      Size (bytes):9958912
                                      Entropy (8bit):7.744960621162115
                                      Encrypted:false
                                      SSDEEP:196608:nWxLkNZONFiVDfWpugrukEa3bwQLWnhLQusRQR7p+2+E:nELkNZONFMUFruxoNazsRO7pJt
                                      MD5:8B1B9AF08BC62E4608D21B5568C0A581
                                      SHA1:ACC808ACCBB6897DA328A1DEF679B42E198BF9E0
                                      SHA-256:4BF33D5531FE319BED3D1550608DED652EF6B52437B6CC94D47A0D388F5BB03B
                                      SHA-512:9C03511CCC5C4F1EE386A61E91F9AFADC7310D1798A2BA7D233A308FA73DFA260A868C4E30EFD92B3259406F645FC50E0449B89AEAB8827D32C4C725DD2F971F
                                      Malicious:false
                                      Preview:......................>...........................................Z...........K.......h.......9...:...;...<...=...>...K...L...M...N...O...P...Q.......................................................................L...M...N...O...P...Q...R...S...T...U...V...W....................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...............................'...:........................................................................................... ...!..."...#...$...%...&...3...(...8...*...+...,...-......./...0...1...2.......4...5...6...7...;...9...@...C...<...=...>...?...J...A...B.......D...E...F...G...H...I...d...e.......M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                      C:\Windows\Installer\MSI5BCE.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):788480
                                      Entropy (8bit):6.397986909438471
                                      Encrypted:false
                                      SSDEEP:12288:DVMjEMXcOyXksIR18ytVt6f5ZORD1OUMUSMUufGg0L56OzpUoCj1CKgvcLjTAx:D6jEM0C25ZORULUDtsdduBjgvcLjTAx
                                      MD5:356FC2C181CC37E3F8AE4D6B855EBFCB
                                      SHA1:2EAD1E69F14099AE33A3216A9312C88007B73CD1
                                      SHA-256:C92B2D9623F19F8ACFEAC5FD894346515631EBB590E68F22C40A35FBACBEF03C
                                      SHA-512:74EA73D3206BA1C6F1963CAA4866589FE86636F68815C74733644AD6C4913DE3F1399770F6095A48C9D94A7D934072D8D8B409A393DE644265F6E456455DCEBD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Z+..;E..;E..;E..IF..;E..I@.y;E..NA..;E..NF..;E..N@..;E..IA..;E..IC..;E..ID..;E..;D..:E.mNL..;E.mNE..;E.mN...;E..;..;E.mNG..;E.Rich.;E.........................PE..L....<.a.........."!.........................................................@............@..........................{.......}.......P.......................`..D....`..p...................@a......x`..@............................................text............................... ..`.rdata..p...........................@..@.data................x..............@....rsrc........P......................@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI5C5C.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):446944
                                      Entropy (8bit):6.403916470886214
                                      Encrypted:false
                                      SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                      MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                      SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                      SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                      SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI5C7C.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):446944
                                      Entropy (8bit):6.403916470886214
                                      Encrypted:false
                                      SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                      MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                      SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                      SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                      SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI5D0A.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):446944
                                      Entropy (8bit):6.403916470886214
                                      Encrypted:false
                                      SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                      MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                      SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                      SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                      SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI5D97.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):919520
                                      Entropy (8bit):6.451406895673526
                                      Encrypted:false
                                      SSDEEP:24576:rx90VXSK4fSa6HXr1iWn8Zlv2x4ntHurpllQ6a:Nq4Fb6HXr1iWnYs4ntHurpllQ6a
                                      MD5:6189CDCB92AB9DDBFFD95FACD0B631FA
                                      SHA1:B74C72CEFCB5808E2C9AE4BA976FA916BA57190D
                                      SHA-256:519F7AC72BEBA9D5D7DCF71FCAC15546F5CFD3BCFC37A5129E63B4E0BE91A783
                                      SHA-512:EE9CE27628E7A07849CD9717609688CA4229D47579B69E3D3B5B2E7C2433369DE9557EF6A13FA59964F57FB213CD8CA205B35F5791EA126BDE5A4E00F6A11CAF
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!S..!S..!S[."R..!S[.$R=.!S.%R..!S."R..!S.$R..!S[.%R..!S[. R..!S.. S..!S3.(R..!S3.!R..!S3..S..!S..S..!S3.#R..!SRich..!S........................PE..L...a<.a.........."!.....X...................p...............................@.......|....@.........................`A..t....A.......0.......................@..L...(...p...............................@............p...............................text...nV.......X.................. ..`.rdata.......p.......\..............@..@.data...<....`.......@..............@....rsrc........0......................@..@.reloc..L....@......................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6950.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):788480
                                      Entropy (8bit):6.397986909438471
                                      Encrypted:false
                                      SSDEEP:12288:DVMjEMXcOyXksIR18ytVt6f5ZORD1OUMUSMUufGg0L56OzpUoCj1CKgvcLjTAx:D6jEM0C25ZORULUDtsdduBjgvcLjTAx
                                      MD5:356FC2C181CC37E3F8AE4D6B855EBFCB
                                      SHA1:2EAD1E69F14099AE33A3216A9312C88007B73CD1
                                      SHA-256:C92B2D9623F19F8ACFEAC5FD894346515631EBB590E68F22C40A35FBACBEF03C
                                      SHA-512:74EA73D3206BA1C6F1963CAA4866589FE86636F68815C74733644AD6C4913DE3F1399770F6095A48C9D94A7D934072D8D8B409A393DE644265F6E456455DCEBD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Z+..;E..;E..;E..IF..;E..I@.y;E..NA..;E..NF..;E..N@..;E..IA..;E..IC..;E..ID..;E..;D..:E.mNL..;E.mNE..;E.mN...;E..;..;E.mNG..;E.Rich.;E.........................PE..L....<.a.........."!.........................................................@............@..........................{.......}.......P.......................`..D....`..p...................@a......x`..@............................................text............................... ..`.rdata..p...........................@..@.data................x..............@....rsrc........P......................@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6990.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):788480
                                      Entropy (8bit):6.397986909438471
                                      Encrypted:false
                                      SSDEEP:12288:DVMjEMXcOyXksIR18ytVt6f5ZORD1OUMUSMUufGg0L56OzpUoCj1CKgvcLjTAx:D6jEM0C25ZORULUDtsdduBjgvcLjTAx
                                      MD5:356FC2C181CC37E3F8AE4D6B855EBFCB
                                      SHA1:2EAD1E69F14099AE33A3216A9312C88007B73CD1
                                      SHA-256:C92B2D9623F19F8ACFEAC5FD894346515631EBB590E68F22C40A35FBACBEF03C
                                      SHA-512:74EA73D3206BA1C6F1963CAA4866589FE86636F68815C74733644AD6C4913DE3F1399770F6095A48C9D94A7D934072D8D8B409A393DE644265F6E456455DCEBD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Z+..;E..;E..;E..IF..;E..I@.y;E..NA..;E..NF..;E..N@..;E..IA..;E..IC..;E..ID..;E..;D..:E.mNL..;E.mNE..;E.mN...;E..;..;E.mNG..;E.Rich.;E.........................PE..L....<.a.........."!.........................................................@............@..........................{.......}.......P.......................`..D....`..p...................@a......x`..@............................................text............................... ..`.rdata..p...........................@..@.data................x..............@....rsrc........P......................@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6A9A.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):446944
                                      Entropy (8bit):6.403916470886214
                                      Encrypted:false
                                      SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                      MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                      SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                      SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                      SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6ABB.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):446944
                                      Entropy (8bit):6.403916470886214
                                      Encrypted:false
                                      SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                      MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                      SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                      SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                      SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6B0A.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):788480
                                      Entropy (8bit):6.397986909438471
                                      Encrypted:false
                                      SSDEEP:12288:DVMjEMXcOyXksIR18ytVt6f5ZORD1OUMUSMUufGg0L56OzpUoCj1CKgvcLjTAx:D6jEM0C25ZORULUDtsdduBjgvcLjTAx
                                      MD5:356FC2C181CC37E3F8AE4D6B855EBFCB
                                      SHA1:2EAD1E69F14099AE33A3216A9312C88007B73CD1
                                      SHA-256:C92B2D9623F19F8ACFEAC5FD894346515631EBB590E68F22C40A35FBACBEF03C
                                      SHA-512:74EA73D3206BA1C6F1963CAA4866589FE86636F68815C74733644AD6C4913DE3F1399770F6095A48C9D94A7D934072D8D8B409A393DE644265F6E456455DCEBD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Z+..;E..;E..;E..IF..;E..I@.y;E..NA..;E..NF..;E..N@..;E..IA..;E..IC..;E..ID..;E..;D..:E.mNL..;E.mNE..;E.mN...;E..;..;E.mNG..;E.Rich.;E.........................PE..L....<.a.........."!.........................................................@............@..........................{.......}.......P.......................`..D....`..p...................@a......x`..@............................................text............................... ..`.rdata..p...........................@..@.data................x..............@....rsrc........P......................@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6BB7.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):772429
                                      Entropy (8bit):6.409962775710157
                                      Encrypted:false
                                      SSDEEP:12288:caHRuEs3Xmm9DZE+aHRuEs3Xmm9DZEUaHRuEs3Xmm9DZE8aHRuEs3Xmm9DZEY:c25snmmtZv25snmmtZz25snmmtZ925sV
                                      MD5:601A1BCE3BA81AE3DF321DF843C7178F
                                      SHA1:1F70DF73D53CA440E8FE223DE92B1090D99C7B19
                                      SHA-256:7F600F2BD1438FA7B38B15AF306D97A307E4AF76476A96615FC42D724A07C0A0
                                      SHA-512:79228FF19964E34AB78E81E193038E724261B2B96D729672C4EDD71C642B9B44540EF40BFA0FA20FF9D6B10B01D52BE369ECD261D6F5EFB7C3F262A57CBB6F15
                                      Malicious:false
                                      Preview:...@IXOS.@.....@FY.X.@.....@.....@.....@.....@.....@......&.{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}..WPS Office v76.23.66).WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi.@.....@B..L.@.....@........&.{7DD8A22E-1308-45B2-86D0-5CB5038DFF9C}.....@.....@.....@.....@.......@.....@.....@.......@......WPS Office v76.23.66......Rollback...V.n.d\O:.....RollbackCleanup.. Rd..Y.N.e.N...e.N:. .[.1.]. ....@.......@........ProcessComponents...f.e.~.N.l.Qh....@.....@.....@.]....&.{A19BE9EC-E940-4615-A9BA-832DC870C667}J.02:\Software\v76.23.66\{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}\AI_IA_ENABLE.@.......@.....@.....@........AI_RollbackTasks2...V.n,g0W...{:g.N.v.N.R...R...N.R.T:. .[.1.]. .J...AI_RollbackTasks2.@.-........MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a...

                                      C:\Windows\Installer\MSI6BB8.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):191968
                                      Entropy (8bit):6.4059654303545885
                                      Encrypted:false
                                      SSDEEP:3072:TM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOiF:TBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mh0
                                      MD5:F11E8EC00DFD2D1344D8A222E65FEA09
                                      SHA1:235ED90CC729C50EB6B8A36EBCD2CF044A2D8B20
                                      SHA-256:775037D6D7DE214796F2F5850440257AE7F04952B73538DA2B55DB45F3B26E93
                                      SHA-512:6163DD8FD18B4520D7FDA0986A80F2E424FE55F5D65D67F5A3519A366E53049F902A08164EA5669476100B71BB2F0C085327B7C362174CB7A051D268F10872D3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@.................................X...x.......x...........................ty..p....................z.......$..@............ .........@....................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6C74.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):191968
                                      Entropy (8bit):6.4059654303545885
                                      Encrypted:false
                                      SSDEEP:3072:TM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOiF:TBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mh0
                                      MD5:F11E8EC00DFD2D1344D8A222E65FEA09
                                      SHA1:235ED90CC729C50EB6B8A36EBCD2CF044A2D8B20
                                      SHA-256:775037D6D7DE214796F2F5850440257AE7F04952B73538DA2B55DB45F3B26E93
                                      SHA-512:6163DD8FD18B4520D7FDA0986A80F2E424FE55F5D65D67F5A3519A366E53049F902A08164EA5669476100B71BB2F0C085327B7C362174CB7A051D268F10872D3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@.................................X...x.......x...........................ty..p....................z.......$..@............ .........@....................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI6CD3.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):191968
                                      Entropy (8bit):6.4059654303545885
                                      Encrypted:false
                                      SSDEEP:3072:TM6KwXYKcWHBnqA2L6vFW90Y+y3jS6LhrZe6benANHPPDZ1D5GvEOiF:TBKwXYBWHRuEFW9RzLLhrUmdHDZ19Mh0
                                      MD5:F11E8EC00DFD2D1344D8A222E65FEA09
                                      SHA1:235ED90CC729C50EB6B8A36EBCD2CF044A2D8B20
                                      SHA-256:775037D6D7DE214796F2F5850440257AE7F04952B73538DA2B55DB45F3B26E93
                                      SHA-512:6163DD8FD18B4520D7FDA0986A80F2E424FE55F5D65D67F5A3519A366E53049F902A08164EA5669476100B71BB2F0C085327B7C362174CB7A051D268F10872D3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..QA..QA..Q...PK..Q...P..Q...PP..Q...PR..Q...PW..Q...Pu..Q...P@..Q...PP..QA..Q...Q...PY..Q...P@..Q...Q@..QA..Q@..Q...P@..QRichA..Q................PE..L....;.a.........."!................'........ ......................................O.....@.................................X...x.......x...........................ty..p....................z.......$..@............ .........@....................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI704E.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):399328
                                      Entropy (8bit):6.589290025452677
                                      Encrypted:false
                                      SSDEEP:6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
                                      MD5:B9545ED17695A32FACE8C3408A6A3553
                                      SHA1:F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
                                      SHA-256:1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
                                      SHA-512:F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI706F.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):399328
                                      Entropy (8bit):6.589290025452677
                                      Encrypted:false
                                      SSDEEP:6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
                                      MD5:B9545ED17695A32FACE8C3408A6A3553
                                      SHA1:F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
                                      SHA-256:1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
                                      SHA-512:F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\MSI70BE.tmp

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:modified
                                      Size (bytes):788480
                                      Entropy (8bit):6.397986909438471
                                      Encrypted:false
                                      SSDEEP:12288:DVMjEMXcOyXksIR18ytVt6f5ZORD1OUMUSMUufGg0L56OzpUoCj1CKgvcLjTAx:D6jEM0C25ZORULUDtsdduBjgvcLjTAx
                                      MD5:356FC2C181CC37E3F8AE4D6B855EBFCB
                                      SHA1:2EAD1E69F14099AE33A3216A9312C88007B73CD1
                                      SHA-256:C92B2D9623F19F8ACFEAC5FD894346515631EBB590E68F22C40A35FBACBEF03C
                                      SHA-512:74EA73D3206BA1C6F1963CAA4866589FE86636F68815C74733644AD6C4913DE3F1399770F6095A48C9D94A7D934072D8D8B409A393DE644265F6E456455DCEBD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Z+..;E..;E..;E..IF..;E..I@.y;E..NA..;E..NF..;E..N@..;E..IA..;E..IC..;E..ID..;E..;D..:E.mNL..;E.mNE..;E.mN...;E..;..;E.mNG..;E.Rich.;E.........................PE..L....<.a.........."!.........................................................@............@..........................{.......}.......P.......................`..D....`..p...................@a......x`..@............................................text............................... ..`.rdata..p...........................@..@.data................x..............@....rsrc........P......................@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\SourceHash{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.1805592894082801
                                      Encrypted:false
                                      SSDEEP:12:JSbX72FjbiAGiLIlHVRpsh/7777777777777777777777777vDHFaCb9oe3LxSC3:J0QI58Bn3LZjaF
                                      MD5:3C5AB16FDAF099173D434F6D8063C1D6
                                      SHA1:99FE5CE5CF1E710EF21DA717EDC87AC7074667A1
                                      SHA-256:A980BA63489756B901AC99A8D5E6217B89D601F348D92252C19730949B14B462
                                      SHA-512:D7AEBD8C0D0074FDED34CBDE86CFD9CCD50D5AD9B604ECDAAC9FBA9EB9EB69040CE14D899E77686CE2FF12FE2C59D1CAE8DA6F04E536AEF7A73BF66CAC88B944
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):24576
                                      Entropy (8bit):1.8486500754464816
                                      Encrypted:false
                                      SSDEEP:48:p8PhQuRc06WXJCFT5NVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xBxZ:khQ15FTZL6RCJco2WG3
                                      MD5:FF73FCF5E6DCE090A6EC0839B4FFAD06
                                      SHA1:622DDBA0F89575F1180B3DE7B2926B4F57198102
                                      SHA-256:2A16BEEC6B0382760316C6D4E58D42A92B36E6866B2712670A8B16B7DAE13A40
                                      SHA-512:79B80B4E7A4CBBBFEF8AB9A0A12AA6A4831E8F6B9F51E8B14A0F28A9F040488CFCEDA51C8D6587F164B50B84DD814F3AB80086A9F95E1768DA7FEAF53E55D8C0
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):432221
                                      Entropy (8bit):5.375170691508401
                                      Encrypted:false
                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauV:zTtbmkExhMJCIpErs
                                      MD5:E59A866CF5982A97981B2B46D6A9EBBD
                                      SHA1:C3DE0CF52D878E55CEF411CC70E3F802D590BF70
                                      SHA-256:3C67360EE3EB588FE4D10CEA2C678EA4453F923269E6967F565B0C3831860449
                                      SHA-512:CAF961B815C6955DB600277CCDA1E33E3C50900A2077ADA1A8B6E9D5A42E1D81987FE99843290F165217760DC6466B3FC43270004E18932144ADD932A5775A73
                                      Malicious:false
                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                      C:\Windows\Temp\~DF02599C23F5C05C38.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF350EC17120BF7F1F.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):1.2106746195239575
                                      Encrypted:false
                                      SSDEEP:48:56TYuAO+CFXJTT55UVyPVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xp:mYCrT38WL6RCJco2WG3
                                      MD5:FE89B35EF34F6976E13A6EC965C238C7
                                      SHA1:7CC6AFFF64CFF35A1AD906497F651E83A90EEF74
                                      SHA-256:5D1C81B8B4B2AF341D5379B85DC318BCAC8C8817689630317A4A18A1463067A6
                                      SHA-512:8A960E1886D77E674A04FF46B91E117636B3E2B3B558B273C4BAB9AAC246F4413F72948E34B8357CD45DFAEE280C17F8DDFD32697E5CDF235E8B79D79F1216E1
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF43B0B488D20CE934.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):24576
                                      Entropy (8bit):1.8486500754464816
                                      Encrypted:false
                                      SSDEEP:48:p8PhQuRc06WXJCFT5NVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xBxZ:khQ15FTZL6RCJco2WG3
                                      MD5:FF73FCF5E6DCE090A6EC0839B4FFAD06
                                      SHA1:622DDBA0F89575F1180B3DE7B2926B4F57198102
                                      SHA-256:2A16BEEC6B0382760316C6D4E58D42A92B36E6866B2712670A8B16B7DAE13A40
                                      SHA-512:79B80B4E7A4CBBBFEF8AB9A0A12AA6A4831E8F6B9F51E8B14A0F28A9F040488CFCEDA51C8D6587F164B50B84DD814F3AB80086A9F95E1768DA7FEAF53E55D8C0
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF51C97CFE163B1BA7.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF53F1EB06D587FA2C.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):73728
                                      Entropy (8bit):0.3078649027305127
                                      Encrypted:false
                                      SSDEEP:48:pV6fT4dRe6xSkdRe6mdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xBxYxMxT:Dv6RCJco2WGK
                                      MD5:9BB81113866A52E68C4504383C3DCEB9
                                      SHA1:269AA5ED651A385DF9D775F683A05FF177ECBE2A
                                      SHA-256:2C842CCA47588F31C4DEEF813BD0D5E2C49E05AADC72001CB7E1A64BA380DD54
                                      SHA-512:81412FFC1CB1370350208F3FC5367FCF349ADADDF21BF4E749F4580A23638B175AA40A86BA82DB8D699922C2B18393BE4E8C9E495805C72344DA53400130255A
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF59631083F4F8E0E6.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):1.2106746195239575
                                      Encrypted:false
                                      SSDEEP:48:56TYuAO+CFXJTT55UVyPVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xp:mYCrT38WL6RCJco2WG3
                                      MD5:FE89B35EF34F6976E13A6EC965C238C7
                                      SHA1:7CC6AFFF64CFF35A1AD906497F651E83A90EEF74
                                      SHA-256:5D1C81B8B4B2AF341D5379B85DC318BCAC8C8817689630317A4A18A1463067A6
                                      SHA-512:8A960E1886D77E674A04FF46B91E117636B3E2B3B558B273C4BAB9AAC246F4413F72948E34B8357CD45DFAEE280C17F8DDFD32697E5CDF235E8B79D79F1216E1
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF6D36BA3FA78CBFB7.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DF8362F5648321C79E.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.08329931249819422
                                      Encrypted:false
                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOaCb3Y0IDe30OtDSCjgEyVky6lt1:2F0i8n0itFzDHFaCb9oe3LxSCjXH
                                      MD5:DAB6BEF98AFA2FF655F3F08FC3CF4A8E
                                      SHA1:B235BE331B587A359F0D9538C97E4C84CDD1E4B6
                                      SHA-256:AA952B48D218A9384DD2E5920EE9840C53A81446A355C7CE49ACF0D7FBEAFEF4
                                      SHA-512:6CD3A0747668C0E4FB40EB04930B04CE6E4FB9DBDF277619D5A2AF128F8EF83860868A3B2349EA8C25651CF3455002237C13F14B90F4B24A5F95338101CEB1BB
                                      Malicious:false
                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFAB875B3911B284E4.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):24576
                                      Entropy (8bit):1.8486500754464816
                                      Encrypted:false
                                      SSDEEP:48:p8PhQuRc06WXJCFT5NVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xBxZ:khQ15FTZL6RCJco2WG3
                                      MD5:FF73FCF5E6DCE090A6EC0839B4FFAD06
                                      SHA1:622DDBA0F89575F1180B3DE7B2926B4F57198102
                                      SHA-256:2A16BEEC6B0382760316C6D4E58D42A92B36E6866B2712670A8B16B7DAE13A40
                                      SHA-512:79B80B4E7A4CBBBFEF8AB9A0A12AA6A4831E8F6B9F51E8B14A0F28A9F040488CFCEDA51C8D6587F164B50B84DD814F3AB80086A9F95E1768DA7FEAF53E55D8C0
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFECD0717D195AB181.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFF3CC3071C2404D84.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):1.2106746195239575
                                      Encrypted:false
                                      SSDEEP:48:56TYuAO+CFXJTT55UVyPVvgrdRe68SkdRe6PAEkrCyh6Moe8xfoHswXGcp4ru2xp:mYCrT38WL6RCJco2WG3
                                      MD5:FE89B35EF34F6976E13A6EC965C238C7
                                      SHA1:7CC6AFFF64CFF35A1AD906497F651E83A90EEF74
                                      SHA-256:5D1C81B8B4B2AF341D5379B85DC318BCAC8C8817689630317A4A18A1463067A6
                                      SHA-512:8A960E1886D77E674A04FF46B91E117636B3E2B3B558B273C4BAB9AAC246F4413F72948E34B8357CD45DFAEE280C17F8DDFD32697E5CDF235E8B79D79F1216E1
                                      Malicious:false
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\~DFF702C42A6FA5A306.TMP

                                      Download File
                                      Process:C:\Windows\System32\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):512
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3::
                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      \Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

                                      Download File
                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):3.650608324205336
                                      Encrypted:false
                                      SSDEEP:3:8nQtI2Y1AnNTS/l/l8lLn:8QCGNT2qLn
                                      MD5:400347A0483E28FF65A605F8331A6D92
                                      SHA1:07139A455E84A8F757D4E534B3BAB4A55F2BAE67
                                      SHA-256:8F4EBE2894E669D01FF5ABC3BA842670F2D6C7E075EEFC13E6E25DF62DCCD9DA
                                      SHA-512:E412DCCB8520D21E9EA2FFA5D6802740F25CA6411108DB5859B23E4B0FF9B08FCD64B36AD88B8D68C6995BC07A3D3C5126FFAA308B54BDA7E17402A650EAD8EB
                                      Malicious:false
                                      Preview:....5.6.2.2.5.8.....\MAILSLOT\NET\GETDC0FC33CA7.................

                                      Static File Info

                                      General

                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {7DD8A22E-1308-45B2-86D0-5CB5038DFF9C}, Number of Words: 2, Subject: WPS Office v76.23.66, Author: v76.23.66, Name of Creating Application: WPS Office v76.23.66, Template: ;2052, Comments: WPS Office v76.23.66 , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                      Entropy (8bit):7.744960621162115
                                      TrID:
                                      • Windows SDK Setup Transform Script (63028/2) 47.91%
                                      • Microsoft Windows Installer (60509/1) 46.00%
                                      • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                      File name:WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi
                                      File size:9'958'912 bytes
                                      MD5:8b1b9af08bc62e4608d21b5568c0a581
                                      SHA1:acc808accbb6897da328a1def679b42e198bf9e0
                                      SHA256:4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
                                      SHA512:9c03511ccc5c4f1ee386a61e91f9afadc7310d1798a2ba7d233a308fa73dfa260a868c4e30efd92b3259406f645fc50e0449b89aeab8827d32c4c725dd2f971f
                                      SSDEEP:196608:nWxLkNZONFiVDfWpugrukEa3bwQLWnhLQusRQR7p+2+E:nELkNZONFMUFruxoNazsRO7pJt
                                      TLSH:0CA6022671DAC636EB7F8630657ADB3A21BA7BE20BB150CB63C01D2A0E745C11275F17
                                      File Content Preview:........................>...........................................Z...........K.......h.......9...:...;...<...=...>...K...L...M...N...O...P...Q.......................................................................L...M...N...O...P...Q...R...S...T...U..

                                      File Icon

                                      Icon Hash:2d2e3797b32b2b99

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      07/17/24-17:10:19.103117TCP2849814ETPRO MALWARE TakeMyFile User-Agent4973380192.168.2.454.224.49.0
                                      07/17/24-17:10:19.103117TCP2849813ETPRO MALWARE TakeMyFile Installer Checkin4973380192.168.2.454.224.49.0

                                      Suricata IDS Alerts

                                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                      2024-07-17T17:10:24.358485+0200TCP2840787ETPRO HUNTING Request for config.json49741443192.168.2.4184.28.90.27
                                      2024-07-17T17:10:19.276636+0200TCP2849814ETPRO ADWARE_PUP TakeMyFile User-Agent4973380192.168.2.454.224.49.0
                                      2024-07-17T17:10:19.276636+0200TCP2849813ETPRO ADWARE_PUP TakeMyFile Installer Checkin4973380192.168.2.454.224.49.0
                                      2024-07-17T17:10:19.276636+0200TCP2848122ETPRO HUNTING Windows System Information in UA4973380192.168.2.454.224.49.0

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 17, 2024 17:10:12.725332022 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:12.730345964 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:12.731245995 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:12.734359980 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:12.734359980 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:12.741225958 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:12.741241932 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.256496906 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.257452965 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.272914886 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.272914886 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.278068066 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.279211998 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.446481943 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.447248936 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.472491980 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.472546101 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.477437973 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.478509903 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.648201942 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.648334026 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.680234909 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.680234909 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.685250998 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.685359955 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.793901920 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.794111967 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.797785044 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.797904968 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.802784920 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.803215981 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.963952065 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.964050055 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.965502024 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.965598106 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:13.970526934 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:13.970591068 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.080120087 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.080293894 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.081881046 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.082060099 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.089540005 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.089978933 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.198117971 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.198255062 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.199641943 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.199641943 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.205864906 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.314155102 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.314466953 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.315696001 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.315696955 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.321434021 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.321444035 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.494215012 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.494328976 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.496368885 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.496368885 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.501323938 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.501472950 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.677228928 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.677294970 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.679240942 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.679240942 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.684246063 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.799758911 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.799830914 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.802352905 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.802448988 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:14.808312893 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.808533907 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.969542980 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:14.972325087 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.255584955 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.255584955 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.256572962 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.256839037 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.260426044 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.261645079 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.261662960 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.261722088 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.261760950 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.261950970 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.262120962 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.262140989 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.262140989 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.262474060 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:15.267801046 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.267838955 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.267857075 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.267940998 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:15.467645884 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.467719078 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.470438004 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.470438004 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.475282907 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.475358963 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.583059072 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.583404064 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.585206985 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.585206985 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.590306997 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.590353966 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.697824001 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.697943926 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.699244976 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.699244976 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.704292059 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.704317093 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.813503027 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.813663960 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.816407919 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.816407919 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.821419001 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.821430922 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.937577963 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.937911034 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.940515041 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.940515041 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:15.955391884 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:15.955403090 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.125011921 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.125071049 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.126827955 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.126827955 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.133125067 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.133140087 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.210469961 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.210740089 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.210784912 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.215970039 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.216569901 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.220155954 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.220415115 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.220415115 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.225317001 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.225332022 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.244419098 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.244647026 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.245954990 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.245954990 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.246526957 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:16.250931978 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.250976086 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.251451969 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:16.251527071 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:16.251719952 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:16.251751900 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:16.256680965 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:16.256694078 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:16.415045977 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.415550947 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.416790009 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.416790009 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.421659946 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.421739101 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.557754040 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.558199883 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.558199883 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.563029051 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.563205004 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.585025072 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.585079908 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.586383104 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.586383104 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.591217995 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.591417074 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.752386093 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.752510071 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.753545046 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.753545046 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.758455992 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.819785118 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.820014000 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.820050955 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:16.824791908 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.824944019 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:16.866070032 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.866126060 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.867706060 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.867706060 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.872646093 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.980597019 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.980798960 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.982928991 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.982928991 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:16.987755060 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:16.987807035 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.148133039 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.152513027 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.155025005 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.155025005 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.159953117 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.171869040 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.172063112 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.172063112 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.176798105 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.177016020 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.251981974 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:17.267460108 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.267640114 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.268661976 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.268661976 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.273432016 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.273514032 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.295739889 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:17.382500887 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:17.436412096 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:17.450845957 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.451008081 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.451546907 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.453701019 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.453701019 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.456121922 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.456166983 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.458760023 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.460912943 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.461060047 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.512062073 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.512248039 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.512303114 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.517143011 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.517180920 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.566576004 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.572508097 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.590986967 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.591053963 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.596127033 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.704190969 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.704492092 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.705941916 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.706039906 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.712711096 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.866533995 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.866656065 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.868762016 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.869271040 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:17.872185946 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.874121904 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.874829054 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.874829054 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:17.881757021 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:17.883701086 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:17.883760929 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.040452003 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.040504932 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.041973114 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.042223930 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.053914070 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.094398022 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.094563961 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.094619989 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.101542950 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.101553917 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.162694931 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.162785053 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.163830042 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.164518118 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.169343948 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.216381073 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.216553926 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.216594934 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.221632004 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.221662998 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.294300079 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.294482946 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.295819044 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.296387911 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.301182032 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.411706924 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.411773920 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.412949085 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.412980080 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.418721914 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.446715117 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.446871042 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.446952105 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.451771021 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.451811075 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.530514956 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.530612946 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.531809092 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.531861067 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.536787987 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.559844971 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.560023069 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.560023069 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.565016031 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.565170050 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.646619081 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.646675110 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.648217916 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.648217916 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.653135061 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.760740042 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.760813951 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.761914968 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.761993885 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.766933918 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.766958952 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.778928041 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.779118061 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.779205084 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:18.784450054 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.784475088 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:18.933803082 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.934123993 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.934974909 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.935018063 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:18.940332890 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:18.941036940 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:19.102085114 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:19.102220058 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:19.103116989 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:19.103187084 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:19.108032942 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:19.108285904 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:19.111368895 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:19.111541986 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:19.111592054 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:19.116370916 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:19.116410017 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:19.172398090 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:19.217693090 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:19.276467085 CEST804973354.224.49.0192.168.2.4
                                      Jul 17, 2024 17:10:19.276635885 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:19.522341013 CEST4973380192.168.2.454.224.49.0
                                      Jul 17, 2024 17:10:19.721704960 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:10:19.764514923 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:10:24.186827898 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:24.186933041 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:24.187036991 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:24.189071894 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:24.189112902 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.540309906 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.573703051 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:25.573739052 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.577426910 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.577656031 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:25.588572025 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:25.588675022 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:25.588687897 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.588713884 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.639477968 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:25.639497995 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:25.686358929 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:26.854310036 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:26.854388952 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:26.854439974 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:26.854654074 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:26.854654074 CEST49743443192.168.2.4119.3.210.249
                                      Jul 17, 2024 17:10:26.854676962 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:26.854686975 CEST44349743119.3.210.249192.168.2.4
                                      Jul 17, 2024 17:10:28.252994061 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:10:28.253458977 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:28.327682018 CEST4973680192.168.2.4110.249.194.76
                                      Jul 17, 2024 17:10:28.334990978 CEST8049736110.249.194.76192.168.2.4
                                      Jul 17, 2024 17:12:04.642868042 CEST4973580192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:12:04.642868996 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:12:04.648251057 CEST8049734116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:12:04.648327112 CEST4973480192.168.2.4116.181.3.214
                                      Jul 17, 2024 17:12:04.649633884 CEST8049735116.181.3.214192.168.2.4
                                      Jul 17, 2024 17:12:04.649710894 CEST4973580192.168.2.4116.181.3.214

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 17, 2024 17:10:12.698647022 CEST5050953192.168.2.41.1.1.1
                                      Jul 17, 2024 17:10:12.715121984 CEST53505091.1.1.1192.168.2.4
                                      Jul 17, 2024 17:10:14.644109964 CEST5682653192.168.2.41.1.1.1
                                      Jul 17, 2024 17:10:14.925374985 CEST53568261.1.1.1192.168.2.4
                                      Jul 17, 2024 17:10:16.234920979 CEST6515453192.168.2.41.1.1.1
                                      Jul 17, 2024 17:10:16.245639086 CEST53651541.1.1.1192.168.2.4
                                      Jul 17, 2024 17:10:24.164304018 CEST5352653192.168.2.41.1.1.1
                                      Jul 17, 2024 17:10:24.177015066 CEST53535261.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 17, 2024 17:10:12.698647022 CEST192.168.2.41.1.1.10xe189Standard query (0)collect.installeranalytics.comA (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:14.644109964 CEST192.168.2.41.1.1.10xeca2Standard query (0)dw-online.ksosoft.comA (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:16.234920979 CEST192.168.2.41.1.1.10x3cf0Standard query (0)shuc-pc-snow.ksord.comA (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:24.164304018 CEST192.168.2.41.1.1.10xa1f9Standard query (0)downloader.wps.cnA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 17, 2024 17:10:12.715121984 CEST1.1.1.1192.168.2.40xe189No error (0)collect.installeranalytics.com54.224.49.0A (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:12.715121984 CEST1.1.1.1192.168.2.40xe189No error (0)collect.installeranalytics.com54.204.31.229A (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:14.925374985 CEST1.1.1.1192.168.2.40xeca2No error (0)dw-online.ksosoft.com116.181.3.214A (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:16.245639086 CEST1.1.1.1192.168.2.40x3cf0No error (0)shuc-pc-snow.ksord.com110.249.194.76A (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:24.177015066 CEST1.1.1.1192.168.2.40xa1f9No error (0)downloader.wps.cnklbv2.wpsdns.comCNAME (Canonical name)IN (0x0001)false
                                      Jul 17, 2024 17:10:24.177015066 CEST1.1.1.1192.168.2.40xa1f9No error (0)klbv2.wpsdns.com119.3.210.249A (IP address)IN (0x0001)false
                                      Jul 17, 2024 17:10:24.177015066 CEST1.1.1.1192.168.2.40xa1f9No error (0)klbv2.wpsdns.com139.9.135.197A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • downloader.wps.cn
                                      • collect.installeranalytics.com
                                      • dw-online.ksosoft.com
                                      • shuc-pc-snow.ksord.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973354.224.49.0802896C:\Windows\SysWOW64\msiexec.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 17, 2024 17:10:12.734359980 CEST241OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 168
                                      Cache-Control: no-cache
                                      Jul 17, 2024 17:10:12.734359980 CEST168OUTData Raw: 71 74 3d 35 35 39 39 38 31 32 26 74 3d 6c 69 66 65 63 79 63 6c 65 26 6c 63 3d 73 74 61 72 74 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61 76 3d 37 36 2e 32 33 2e 36 36 26 63 69 64 3d 37
                                      Data Ascii: qt=5599812&t=lifecycle&lc=start&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:13.256496906 CEST338INHTTP/1.1 200 OK
                                      Cache-control: no-cache="set-cookie"
                                      Date: Wed, 17 Jul 2024 15:10:13 GMT
                                      Set-Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366;PATH=/;MAX-AGE=600
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:13.272914886 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 180
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:13.272914886 CEST180OUTData Raw: 71 74 3d 35 36 30 30 34 35 33 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61 76 3d 37 36
                                      Data Ascii: qt=5600453&t=property&lb=VersionNT&val=1000&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:13.446481943 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:13 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:13.472491980 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 182
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:13.472546101 CEST182OUTData Raw: 71 74 3d 35 36 30 30 36 35 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 36 34 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61 76 3d
                                      Data Ascii: qt=5600656&t=property&lb=VersionNT64&val=1000&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:13.648201942 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:13 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:13.680234909 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 185
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:13.680234909 CEST185OUTData Raw: 71 74 3d 35 36 30 30 38 35 39 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 68 79 73 69 63 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 38 31 39 31 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26
                                      Data Ascii: qt=5600859&t=property&lb=PhysicalMemory&val=8191&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:13.793901920 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:13 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:13.797785044 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 181
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:13.797904968 CEST181OUTData Raw: 71 74 3d 35 36 30 30 39 38 34 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4d 73 69 26 76 61 6c 3d 35 2e 30 30 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61 76 3d 37
                                      Data Ascii: qt=5600984&t=property&lb=VersionMsi&val=5.00&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:13.963952065 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:13 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:13.965502024 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 175
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:13.965598106 CEST175OUTData Raw: 71 74 3d 35 36 30 31 31 34 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 55 49 4c 65 76 65 6c 26 76 61 6c 3d 33 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61 76 3d 37 36 2e 32 33 2e 36
                                      Data Ascii: qt=5601140&t=property&lb=UILevel&val=3&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:14.080120087 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.081881046 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 184
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.082060099 CEST184OUTData Raw: 71 74 3d 35 36 30 31 32 36 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 69 72 74 75 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 36 36 39 33 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61
                                      Data Ascii: qt=5601265&t=property&lb=VirtualMemory&val=6693&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:14.198117971 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.199641943 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 184
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.199641943 CEST184OUTData Raw: 71 74 3d 35 36 30 31 33 37 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 4d 73 69 4e 54 50 72 6f 64 75 63 74 54 79 70 65 26 76 61 6c 3d 31 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61
                                      Data Ascii: qt=5601375&t=property&lb=MsiNTProductType&val=1&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:14.314155102 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.315696001 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 184
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.315696955 CEST184OUTData Raw: 71 74 3d 35 36 30 31 35 30 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 53 65 72 76 69 63 65 50 61 63 6b 4c 65 76 65 6c 26 76 61 6c 3d 30 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61 26 61
                                      Data Ascii: qt=5601500&t=property&lb=ServicePackLevel&val=0&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:14.494215012 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.496368885 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 186
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.496368885 CEST186OUTData Raw: 71 74 3d 35 36 30 31 36 37 31 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 26 76 61 6c 3d 32 30 35 32 26 76 3d 33 26 61 69 64 3d 36 36 39 36 63 39 35 36 32 66 66 35 30 38 62 66 62 61 38 31 65 66 30 61
                                      Data Ascii: qt=5601671&t=property&lb=ProductLanguage&val=2052&v=3&aid=6696c9562ff508bfba81ef0a&av=76.23.66&cid=700FE11B8D5DC060C5656D9D4D19B4AF9C9772F9&sid=%7B8AE698CD-4D24-4723-A62C-73BE1AFF81EE%7D
                                      Jul 17, 2024 17:10:14.677228928 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.679240942 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 196
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.799758911 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:14.802352905 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 193
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:14.969542980 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:14 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.255584955 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 196
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:15.467645884 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:15 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.470438004 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 193
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:15.583059072 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:15 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.585206985 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 195
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:15.697824001 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:15 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.699244976 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 211
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:15.813503027 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:15 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.816407919 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 212
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:15.937577963 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:15 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:15.940515041 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 194
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.125011921 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.126827955 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 208
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.244419098 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.245954990 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 200
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.415045977 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.416790009 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 202
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.585025072 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.586383104 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 202
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.752386093 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.753545046 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 204
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.866070032 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.867706060 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 203
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:16.980597019 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:16.982928991 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 205
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.148133039 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.155025005 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 205
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.267460108 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.268661976 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 208
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.451008081 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.453701019 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 207
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.566576004 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.590986967 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 202
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.704190969 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.705941916 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 209
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:17.866533995 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.868762016 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 213
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.040452003 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.041973114 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 192
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.162694931 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.163830042 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 184
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.294300079 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.295819044 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 177
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.411706924 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.412949085 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 185
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.530514956 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.531809092 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 185
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.646619081 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.648217916 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 173
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.760740042 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.761914968 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 180
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:18.933803082 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:18.934974909 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 220
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:19.102085114 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:19 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:19.103116989 CEST396OUTPOST / HTTP/1.1
                                      Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                      User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                      Host: collect.installeranalytics.com
                                      Content-Length: 177
                                      Cache-Control: no-cache
                                      Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DE10DBFD7E5D4AE6378040B3BE1E956BB8943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                      Jul 17, 2024 17:10:19.276467085 CEST122INHTTP/1.1 200 OK
                                      Date: Wed, 17 Jul 2024 15:10:19 GMT
                                      X-Powered-By: Express
                                      Content-Length: 0
                                      Connection: keep-alive


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449734116.181.3.214807412C:\Users\user\AppData\Roaming\WPS.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 17, 2024 17:10:15.262120962 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 185
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:15.262474060 CEST185OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","eventsVersion":0,"sdkType":"C++","sdkVersion":"2.8.16","sendUrlVersion":0,"transportControlVersion":0}
                                      Jul 17, 2024 17:10:16.210469961 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:16.210740089 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:16.210784912 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:16.819785118 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:16.820014000 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:16.820050955 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:17.450845957 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:17.456121922 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:17.456166983 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:18.094398022 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:18.094563961 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:18.094619989 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:18.446715117 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:18.446871042 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:18.446952105 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:18.778928041 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:18.779118061 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:18.779205084 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:19.111368895 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:19.111541986 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:19.111592054 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:19.721704960 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:19 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.449735116.181.3.214807412C:\Users\user\AppData\Roaming\WPS.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 17, 2024 17:10:15.262140989 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:15.262140989 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:16.220155954 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:16.220415115 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:16.220415115 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:16.557754040 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:16 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:16.558199883 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:16.558199883 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:17.171869040 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:17.172063112 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:17.172063112 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:17.512062073 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:17.512248039 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:17.512303114 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:17.872185946 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:17 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:17.874829054 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:17.874829054 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:18.216381073 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:18.216553926 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:18.216594934 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:18.559844971 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:18 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}
                                      Jul 17, 2024 17:10:18.560023069 CEST165OUTPOST /api/dynamicParam/v3/app/6561882c644c3686 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      Content-Length: 120
                                      Host: dw-online.ksosoft.com
                                      Jul 17, 2024 17:10:18.560023069 CEST120OUTData Raw: 7b 22 61 70 70 54 6f 6b 65 6e 22 3a 22 36 35 36 31 38 38 32 63 36 34 34 63 33 36 38 36 22 2c 22 61 70 70 56 65 72 73 69 6f 6e 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c
                                      Data Ascii: {"appToken":"6561882c644c3686","appVersion":"11.1.0.12919","channel":"12012.2019","sdkType":"C++","sdkVersion":"2.8.16"}
                                      Jul 17, 2024 17:10:19.172398090 CEST552INHTTP/1.1 200
                                      Server: CLOUD ELB 1.0.0
                                      Date: Wed, 17 Jul 2024 15:10:19 GMT
                                      Content-Type: application/json
                                      Content-Length: 261
                                      Connection: keep-alive
                                      Vary: Origin
                                      Vary: Access-Control-Request-Method
                                      Vary: Access-Control-Request-Headers
                                      t: 1
                                      sign: 0d126b605f98cf8ac543b74256d4e627
                                      Data Raw: 7b 22 75 70 6c 6f 61 64 53 74 72 61 74 65 67 79 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 74 72 61 6e 73 70 6f 72 74 43 6f 6e 74 72 6f 6c 22 3a 7b 22 73 70 6c 69 74 53 69 7a 65 22 3a 35 30 2c 22 67 7a 69 70 53 69 7a 65 22 3a 31 30 7d 2c 22 75 70 6c 6f 61 64 43 6f 6e 64 69 74 69 6f 6e 73 22 3a 7b 22 74 69 6d 65 49 6e 74 65 72 76 61 6c 22 3a 32 2c 22 63 75 6d 75 6c 61 74 69 76 65 22 3a 33 30 7d 7d 2c 22 73 65 6e 64 55 72 6c 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 2c 22 75 72 6c 73 22 3a 22 28 68 74 74 70 3a 2f 2f 73 68 75 63 2d 70 63 2d 73 6e 6f 77 2e 6b 73 6f 72 64 2e 63 6f 6d 29 22 7d 2c 22 65 76 65 6e 74 73 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 31 35 39 30 31 33 38 30 30 30 30 30 30 7d 7d
                                      Data Ascii: {"uploadStrategy":{"version":1590138000000,"transportControl":{"splitSize":50,"gzipSize":10},"uploadConditions":{"timeInterval":2,"cumulative":30}},"sendUrls":{"version":1590138000000,"urls":"(http://shuc-pc-snow.ksord.com)"},"events":{"version":1590138000000}}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.449736110.249.194.76807412C:\Users\user\AppData\Roaming\WPS.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 17, 2024 17:10:16.251719952 CEST144OUTPOST / HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/json
                                      dw-protocol: 1.0
                                      Content-Length: 889
                                      Host: shuc-pc-snow.ksord.com
                                      Jul 17, 2024 17:10:16.251751900 CEST889OUTData Raw: 46 64 6b 74 38 74 54 78 30 31 78 72 45 59 36 31 4a 4d 48 45 47 72 53 62 5a 33 6c 59 38 47 65 45 70 6b 4e 4e 52 5a 64 6e 6c 4a 76 36 61 55 42 52 32 48 6c 74 6d 48 74 79 78 6c 39 39 2f 6b 4b 47 56 42 43 48 67 63 32 2f 0a 4e 34 61 59 57 43 57 6f 72
                                      Data Ascii: Fdkt8tTx01xrEY61JMHEGrSbZ3lY8GeEpkNNRZdnlJv6aUBR2HltmHtyxl99/kKGVBCHgc2/N4aYWCWorqqXFQdmc/4gA9CBJfN17/CavaMmVvQUCyRdGcz++0oeZkcjyc4ainlbLnCwjBM1c0BiDJRMMd2U0g0tcZDiLSUUi0hgbzHxS6x8Q7IvI653GZFPX0QxkTHt8DHzBRGa1CezLeXvzxVLRn6pcapPwogtUokbAU2A
                                      Jul 17, 2024 17:10:17.251981974 CEST71INHTTP/1.1 200 OK
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Jul 17, 2024 17:10:17.382500887 CEST5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449743119.3.210.2494437412C:\Users\user\AppData\Roaming\WPS.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-17 15:10:25 UTC387OUTPOST /api/v1/link HTTP/1.1
                                      Host: downloader.wps.cn
                                      Accept: */*
                                      Client-Type: loader-pc
                                      Client-Chan: 10.1.xxxx
                                      Client-Ver: 1.0.0
                                      Client-Lang: zh
                                      Content-Type: application/json
                                      Authorization: WPS:yqW282sr:YzhiYWY3ZjA1NWE5MGNmOWY2YzUyYjgzNjMyMjczNDUyMmQ5ZjMwZA==
                                      Date: Wed, 17 Jul 2024 16:40:47 GMT
                                      Content-Md5: ZmUyMDdjYmZiOTFiZmIyMjQxOGZhNWNhZjU1ODgxZGY=
                                      Content-Length: 151
                                      2024-07-17 15:10:25 UTC151OUTData Raw: 7b 22 6c 6f 61 64 65 72 5f 63 68 61 6e 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c 22 6c 6f 61 64 65 72 5f 6d 64 35 22 3a 22 62 35 32 62 61 32 62 39 39 31 30 38 63 34 39 36 33 38 39 61 65 35 62 62 38 31 66 61 36 35 33 37 22 2c 22 6c 6f 61 64 65 72 5f 76 65 72 22 3a 22 31 31 2e 31 2e 30 2e 31 32 39 31 39 22 2c 22 6f 73 5f 76 65 72 22 3a 22 31 30 2e 30 22 2c 22 70 5f 6d 6f 64 22 3a 22 69 6e 73 74 61 6c 6c 65 72 22 2c 22 72 5f 69 64 22 3a 22 30 22 7d
                                      Data Ascii: {"loader_chan":"12012.2019","loader_md5":"b52ba2b99108c496389ae5bb81fa6537","loader_ver":"11.1.0.12919","os_ver":"10.0","p_mod":"installer","r_id":"0"}
                                      2024-07-17 15:10:26 UTC153INHTTP/1.1 200 OK
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 844
                                      Connection: close
                                      Date: Wed, 17 Jul 2024 15:10:26 GMT
                                      X-KLB: 2
                                      2024-07-17 15:10:26 UTC844INData Raw: 7b 22 63 6f 64 65 22 3a 30 2c 22 6d 73 67 22 3a 22 73 75 63 63 65 73 73 22 2c 22 64 61 74 61 22 3a 7b 22 72 5f 69 64 22 3a 22 30 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6f 66 66 69 63 69 61 6c 2d 70 61 63 6b 61 67 65 2e 77 70 73 63 64 6e 2e 63 6e 2f 77 70 73 2f 64 6f 77 6e 6c 6f 61 64 2f 57 50 53 5f 53 65 74 75 70 5f 31 35 33 31 39 2e 65 78 65 22 2c 22 66 5f 73 69 7a 65 22 3a 32 33 36 39 34 35 35 30 34 2c 22 66 5f 6d 64 35 22 3a 22 32 34 32 34 62 65 64 31 62 32 63 62 39 34 39 64 64 62 33 38 66 37 32 66 33 35 32 61 31 62 37 37 22 2c 22 77 5f 76 65 72 22 3a 22 31 31 2e 31 2e 30 2e 31 35 33 31 39 22 2c 22 77 5f 63 68 61 6e 22 3a 22 31 32 30 31 32 2e 32 30 31 39 22 2c 22 69 5f 6f 70 74 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 63 6f 6d 70 61 74 69 62 6c
                                      Data Ascii: {"code":0,"msg":"success","data":{"r_id":"0","url":"https://official-package.wpscdn.cn/wps/download/WPS_Setup_15319.exe","f_size":236945504,"f_md5":"2424bed1b2cb949ddb38f72f352a1b77","w_ver":"11.1.0.15319","w_chan":"12012.2019","i_opt":[{"name":"compatibl


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:11:10:05
                                      Start date:17/07/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WPS#U529e#U516c#U8f6f#U4ef6 v76.23.66.msi"
                                      Imagebase:0x7ff65d660000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:11:10:05
                                      Start date:17/07/2024
                                      Path:C:\Windows\System32\msiexec.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                      Imagebase:0x7ff65d660000
                                      File size:69'632 bytes
                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:2
                                      Start time:11:10:06
                                      Start date:17/07/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding AF7A5A98FCE59EB21923DEC3642535A5
                                      Imagebase:0xbf0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:11:10:10
                                      Start date:17/07/2024
                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding FC7440F48901E81826ED2A23961C7067 E Global\MSI0000
                                      Imagebase:0xbf0000
                                      File size:59'904 bytes
                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:11:10:11
                                      Start date:17/07/2024
                                      Path:C:\Windows\Installer\MSI704E.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Installer\MSI704E.tmp" /DontWait "C:\Users\user\AppData\Roaming\WPS.exe"
                                      Imagebase:0xa30000
                                      File size:399'328 bytes
                                      MD5 hash:B9545ED17695A32FACE8C3408A6A3553
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:11:10:11
                                      Start date:17/07/2024
                                      Path:C:\Windows\Installer\MSI706F.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Installer\MSI706F.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"
                                      Imagebase:0x170000
                                      File size:399'328 bytes
                                      MD5 hash:B9545ED17695A32FACE8C3408A6A3553
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:11:10:12
                                      Start date:17/07/2024
                                      Path:C:\Users\user\AppData\Roaming\WPS.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\WPS.exe"
                                      Imagebase:0xe0000
                                      File size:3'027'728 bytes
                                      MD5 hash:B52BA2B99108C496389AE5BB81FA6537
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 4%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:11:10:12
                                      Start date:17/07/2024
                                      Path:C:\ProgramData\Microsoft\MF\thelper.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\ProgramData\Microsoft\MF\thelper.exe"
                                      Imagebase:0xf80000
                                      File size:231'896 bytes
                                      MD5 hash:17749F66292F190EF93652EB512C5AB7
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000007.00000002.1787100730.0000000001153000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000007.00000002.1787432909.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:11:10:12
                                      Start date:17/07/2024
                                      Path:C:\ProgramData\Microsoft\MF\thelper.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\ProgramData\Microsoft\MF\thelper.exe
                                      Imagebase:0xf80000
                                      File size:231'896 bytes
                                      MD5 hash:17749F66292F190EF93652EB512C5AB7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000008.00000002.1788291853.00000000031E3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000008.00000002.1787680765.00000000018C7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:11:10:12
                                      Start date:17/07/2024
                                      Path:C:\ProgramData\Microsoft\MF\thelper.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\ProgramData\Microsoft\MF\thelper.exe
                                      Imagebase:0xf80000
                                      File size:231'896 bytes
                                      MD5 hash:17749F66292F190EF93652EB512C5AB7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000009.00000002.1784186616.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000009.00000002.1783920751.0000000002C37000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:11:10:13
                                      Start date:17/07/2024
                                      Path:C:\Users\user\AppData\Local\thelper.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\thelper.exe"
                                      Imagebase:0x850000
                                      File size:231'896 bytes
                                      MD5 hash:17749F66292F190EF93652EB512C5AB7
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:11:10:13
                                      Start date:17/07/2024
                                      Path:C:\Users\user\AppData\Roaming\WPS.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\WPS.exe" -upgradepower
                                      Imagebase:0xe0000
                                      File size:3'027'728 bytes
                                      MD5 hash:B52BA2B99108C496389AE5BB81FA6537
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:35.5%
                                        Total number of Nodes:420
                                        Total number of Limit Nodes:11
                                        execution_graph 32582 a53084 32583 a53090 CallCatchBlock 32582->32583 32608 a52de4 32583->32608 32585 a53097 32586 a531ea 32585->32586 32597 a530c1 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallCatchBlock 32585->32597 32639 a533a8 4 API calls 2 library calls 32586->32639 32588 a531f1 32640 a62ed9 23 API calls CallCatchBlock 32588->32640 32590 a531f7 32641 a62e9d 23 API calls CallCatchBlock 32590->32641 32592 a531ff 32593 a530e0 32594 a53161 32616 a534c3 GetStartupInfoW codecvt 32594->32616 32596 a53167 32617 a3cdb0 GetCommandLineW 32596->32617 32597->32593 32597->32594 32638 a62eb3 41 API calls 4 library calls 32597->32638 32609 a52ded 32608->32609 32642 a535a9 IsProcessorFeaturePresent 32609->32642 32611 a52df9 32643 a558dc 10 API calls 2 library calls 32611->32643 32613 a52dfe 32615 a52e02 32613->32615 32644 a558fb 7 API calls 2 library calls 32613->32644 32615->32585 32616->32596 32618 a3cdf8 32617->32618 32645 a31f80 LocalAlloc 32618->32645 32620 a3ce09 32646 a369a0 32620->32646 32622 a3ce58 32623 a3ce69 32622->32623 32624 a3ce5c 32622->32624 32654 a3c6a0 LocalAlloc LocalAlloc 32623->32654 32736 a36600 98 API calls __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 32624->32736 32627 a3ce65 32629 a3ceb0 ExitProcess 32627->32629 32628 a3ce72 32655 a3c870 32628->32655 32634 a3cea4 32738 a3cec0 LocalFree LocalFree 32634->32738 32635 a3ce9a 32737 a3cce0 CreateFileW SetFilePointer WriteFile CloseHandle 32635->32737 32638->32594 32639->32588 32640->32590 32641->32592 32642->32611 32643->32613 32644->32615 32645->32620 32647 a369f2 32646->32647 32648 a36a34 32647->32648 32651 a36a22 32647->32651 32649 a52937 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 32648->32649 32650 a36a42 32649->32650 32650->32622 32739 a52937 32651->32739 32653 a36a30 32653->32622 32654->32628 32656 a3c889 32655->32656 32659 a3cb32 32655->32659 32657 a3cb92 32656->32657 32656->32659 32747 a36250 14 API calls 32657->32747 32662 a36a50 32659->32662 32660 a3cba2 RegOpenKeyExW 32660->32659 32661 a3cbc0 RegQueryValueExW 32660->32661 32661->32659 32663 a36aa3 GetCurrentProcess OpenProcessToken 32662->32663 32664 a36a84 32662->32664 32668 a36b09 32663->32668 32669 a36adf 32663->32669 32665 a52937 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 32664->32665 32667 a36a9f 32665->32667 32667->32634 32667->32635 32748 a35de0 32668->32748 32670 a36b02 32669->32670 32671 a36af4 CloseHandle 32669->32671 32796 a357c0 GetCurrentProcess OpenProcessToken 32670->32796 32671->32670 32675 a36b20 32678 a31770 42 API calls 32675->32678 32676 a36b2e 32679 a36b32 32676->32679 32680 a36b3f 32676->32680 32677 a36c29 32681 a36ddb 32677->32681 32688 a36c43 32677->32688 32678->32669 32682 a31770 42 API calls 32679->32682 32751 a35f40 ConvertSidToStringSidW 32680->32751 32685 a32310 56 API calls 32681->32685 32682->32669 32686 a36e04 32685->32686 32689 a36d8a 32686->32689 32694 a346f0 52 API calls 32686->32694 32801 a32310 32688->32801 32933 a311d0 RaiseException CallUnexpected 32689->32933 32703 a36e29 32694->32703 32695 a36b85 32782 a32e60 32695->32782 32698 a36e59 32701 a32310 56 API calls 32698->32701 32699 a32e60 42 API calls 32702 a36bf5 32699->32702 32704 a36e68 32701->32704 32788 a31770 32702->32788 32703->32698 32883 a34ac0 42 API calls 3 library calls 32703->32883 32704->32689 32714 a346f0 52 API calls 32704->32714 32706 a36cad 32708 a32310 56 API calls 32706->32708 32712 a36cc7 32708->32712 32710 a36c16 FindCloseChangeNotification 32710->32670 32711 a36c7c 32711->32706 32880 a34ac0 42 API calls 3 library calls 32711->32880 32712->32689 32716 a346f0 52 API calls 32712->32716 32718 a36e8a 32714->32718 32715 a36eb9 32717 a32310 56 API calls 32715->32717 32723 a36ce9 32716->32723 32719 a36ec4 32717->32719 32718->32715 32884 a34ac0 42 API calls 3 library calls 32718->32884 32719->32689 32726 a346f0 52 API calls 32719->32726 32720 a36d19 32721 a32310 56 API calls 32720->32721 32724 a36d24 32721->32724 32723->32720 32881 a34ac0 42 API calls 3 library calls 32723->32881 32724->32689 32728 a346f0 52 API calls 32724->32728 32730 a36ee6 32726->32730 32727 a36f10 32886 a352f0 32727->32886 32734 a36d46 32728->32734 32730->32727 32885 a34ac0 42 API calls 3 library calls 32730->32885 32731 a36d70 32834 a34ba0 32731->32834 32734->32731 32882 a34ac0 42 API calls 3 library calls 32734->32882 32736->32627 32737->32634 32738->32629 32740 a52940 IsProcessorFeaturePresent 32739->32740 32741 a5293f 32739->32741 32743 a529a5 32740->32743 32741->32653 32746 a52968 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32743->32746 32745 a52a88 32745->32653 32746->32745 32747->32660 32934 a35e40 GetTokenInformation 32748->32934 32752 a35fd2 32751->32752 32753 a35fac 32751->32753 32754 a324c0 47 API calls 32752->32754 32756 a324c0 47 API calls 32753->32756 32755 a35fc9 32754->32755 32757 a36003 32755->32757 32758 a35ff5 LocalFree 32755->32758 32756->32755 32759 a324c0 32757->32759 32758->32757 32764 a324d1 _LStrxfrm 32759->32764 32765 a324fd 32759->32765 32760 a325f5 32945 a32770 42 API calls 32760->32945 32762 a32515 32766 a325f0 32762->32766 32767 a32566 LocalAlloc 32762->32767 32763 a325fa 32946 a57027 41 API calls 2 library calls 32763->32946 32764->32695 32765->32760 32765->32762 32765->32766 32769 a32582 32765->32769 32944 a32d70 RaiseException CallUnexpected 32766->32944 32767->32763 32771 a32577 32767->32771 32773 a32586 LocalAlloc 32769->32773 32779 a32593 _LStrxfrm 32769->32779 32771->32779 32773->32779 32778 a325e5 32778->32695 32779->32763 32779->32778 32780 a325d8 32779->32780 32780->32778 32781 a325de LocalFree 32780->32781 32781->32778 32783 a32eb7 32782->32783 32784 a32e8d 32782->32784 32783->32699 32784->32782 32785 a32eaa 32784->32785 32947 a57027 41 API calls 2 library calls 32784->32947 32785->32783 32786 a32eb0 LocalFree 32785->32786 32786->32783 32789 a3179b 32788->32789 32793 a317c1 32788->32793 32790 a317ba LocalFree 32789->32790 32791 a317e5 32789->32791 32792 a317b4 32789->32792 32790->32793 32948 a57027 41 API calls 2 library calls 32791->32948 32792->32790 32792->32793 32793->32670 32793->32710 32797 a357e1 32796->32797 32798 a357e7 GetTokenInformation 32796->32798 32797->32677 32799 a35816 32798->32799 32800 a3581e CloseHandle 32798->32800 32799->32800 32800->32677 32802 a32348 32801->32802 32813 a3239c 32801->32813 32949 a52c98 6 API calls 32802->32949 32805 a32352 32806 a3235e GetProcessHeap 32805->32806 32805->32813 32950 a52faa 44 API calls 32806->32950 32807 a323b6 32815 a32427 32807->32815 32953 a52faa 44 API calls 32807->32953 32809 a3238b 32951 a52c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32809->32951 32812 a32416 32954 a52c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32812->32954 32813->32815 32952 a52c98 6 API calls 32813->32952 32815->32689 32816 a346f0 32815->32816 32817 a34700 32816->32817 32818 a34766 32816->32818 32817->32818 32955 a3d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32817->32955 32818->32711 32820 a34730 FindResourceExW 32821 a3471a 32820->32821 32821->32818 32821->32820 32824 a34771 32821->32824 32956 a345b0 LoadResource LockResource SizeofResource 32821->32956 32957 a3d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32821->32957 32824->32818 32825 a34775 FindResourceW 32824->32825 32825->32818 32826 a34783 32825->32826 32958 a345b0 LoadResource LockResource SizeofResource 32826->32958 32828 a34790 32828->32818 32959 a57383 41 API calls 3 library calls 32828->32959 32830 a347d1 32831 a347e2 32830->32831 32960 a311d0 RaiseException CallUnexpected 32830->32960 32831->32711 32835 a357c0 4 API calls 32834->32835 32836 a34bed 32835->32836 32837 a34bf3 32836->32837 32838 a34c15 CoInitialize CoCreateInstance 32836->32838 32839 a352f0 89 API calls 32837->32839 32840 a34c58 VariantInit 32838->32840 32841 a34c4f 32838->32841 32842 a34c0d 32839->32842 32843 a34c9e 32840->32843 32841->32842 32844 a35187 CoUninitialize 32841->32844 32845 a52937 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 32842->32845 32846 a34cb1 IUnknown_QueryService 32843->32846 32854 a34ca8 VariantClear 32843->32854 32844->32842 32847 a351a7 32845->32847 32849 a34ce0 32846->32849 32846->32854 32847->32689 32850 a34d31 IUnknown_QueryInterface_Proxy 32849->32850 32849->32854 32851 a34d5a 32850->32851 32850->32854 32852 a34d7f IUnknown_QueryInterface_Proxy 32851->32852 32851->32854 32853 a34da8 CoAllowSetForegroundWindow 32852->32853 32852->32854 32855 a34dc2 SysAllocString 32853->32855 32856 a34e28 SysAllocString 32853->32856 32854->32841 32859 a34df8 SysAllocString 32855->32859 32860 a34def 32855->32860 32856->32855 32858 a351b0 _com_issue_error 32856->32858 32965 a311d0 RaiseException CallUnexpected 32858->32965 32862 a34e3d VariantInit 32859->32862 32863 a34e1d 32859->32863 32860->32858 32860->32859 32867 a34ebd 32862->32867 32863->32858 32863->32862 32865 a34ec1 VariantClear VariantClear VariantClear VariantClear SysFreeString 32865->32854 32867->32865 32875 a34f1b 32867->32875 32868 a324c0 47 API calls 32868->32875 32871 a32e60 42 API calls 32871->32875 32872 a34fd5 OpenProcess WaitForSingleObject 32874 a3500b GetExitCodeProcess 32872->32874 32872->32875 32874->32875 32875->32865 32875->32867 32875->32868 32875->32871 32875->32872 32876 a35025 CloseHandle 32875->32876 32877 a351ab 32875->32877 32878 a3506e LocalFree 32875->32878 32961 a312f0 49 API calls 2 library calls 32875->32961 32962 a33860 119 API calls 2 library calls 32875->32962 32963 a34270 10 API calls 32875->32963 32876->32875 32964 a57027 41 API calls 2 library calls 32877->32964 32878->32875 32880->32706 32881->32720 32882->32731 32883->32698 32884->32715 32885->32727 32887 a35361 32886->32887 32966 a35d30 32887->32966 32889 a3537b 32890 a35d30 41 API calls 32889->32890 32891 a3538b 32890->32891 32970 a359c0 32891->32970 32893 a357b0 32989 a311d0 RaiseException CallUnexpected 32893->32989 32895 a3539b 32895->32893 32978 a57852 32895->32978 32899 a353e1 32900 a35d30 41 API calls 32899->32900 32913 a353f5 32900->32913 32901 a354cc 32902 a3551d GetForegroundWindow 32901->32902 32927 a35529 32901->32927 32902->32927 32903 a355f7 ShellExecuteExW 32904 a35612 32903->32904 32905 a35609 32903->32905 32907 a35646 32904->32907 32909 a35625 ShellExecuteExW 32904->32909 32987 a35890 6 API calls 32905->32987 32916 a356fd 32907->32916 32917 a3566c GetModuleHandleW GetProcAddress 32907->32917 32908 a35493 GetWindowsDirectoryW 32985 a35b10 70 API calls 32908->32985 32909->32907 32911 a3563d 32909->32911 32988 a35890 6 API calls 32911->32988 32912 a354b4 32986 a35b10 70 API calls 32912->32986 32913->32901 32913->32908 32918 a35721 32916->32918 32919 a3570e WaitForSingleObject GetExitCodeProcess 32916->32919 32921 a3568a AllowSetForegroundWindow 32917->32921 32981 a35940 32918->32981 32919->32918 32921->32916 32922 a35698 32921->32922 32922->32916 32923 a356a1 GetModuleHandleW GetProcAddress 32922->32923 32924 a356b4 32923->32924 32925 a356fa 32923->32925 32930 a356c8 Sleep EnumWindows 32924->32930 32931 a356ed 32924->32931 32925->32916 32927->32903 32928 a52937 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 32929 a357a8 32928->32929 32929->32689 32930->32924 32930->32931 33064 a35830 GetWindowThreadProcessId GetWindowLongW 32930->33064 32931->32925 32932 a356f3 BringWindowToTop 32931->32932 32932->32925 32935 a35e18 32934->32935 32936 a35ebe GetLastError 32934->32936 32935->32675 32935->32676 32936->32935 32937 a35ec9 32936->32937 32938 a35f0e GetTokenInformation 32937->32938 32939 a35ee9 32937->32939 32941 a35ed9 codecvt 32937->32941 32938->32935 32943 a360d0 45 API calls 3 library calls 32939->32943 32941->32938 32942 a35ef2 32942->32938 32943->32942 32949->32805 32950->32809 32951->32813 32952->32807 32953->32812 32954->32815 32955->32821 32956->32821 32957->32821 32958->32828 32959->32830 32961->32875 32962->32875 32963->32875 32967 a35d6e 32966->32967 32969 a35d7d 32967->32969 32990 a34a10 41 API calls 4 library calls 32967->32990 32969->32889 32971 a359f8 32970->32971 32976 a35a03 32970->32976 32972 a35d30 41 API calls 32971->32972 32975 a35a01 32972->32975 32973 a32310 56 API calls 32974 a35a1a 32973->32974 32991 a35a60 42 API calls 32974->32991 32975->32895 32976->32973 32976->32974 32992 a57869 32978->32992 32982 a35971 32981->32982 32983 a3572d 32981->32983 32982->32983 32984 a35981 CloseHandle 32982->32984 32983->32928 32984->32983 32985->32912 32986->32901 32987->32904 32988->32907 32990->32969 32991->32975 32997 a57078 32992->32997 32998 a57096 32997->32998 32999 a5708f 32997->32999 32998->32999 33040 a657cc 41 API calls 3 library calls 32998->33040 33005 a576d9 32999->33005 33001 a570b7 33041 a65ab7 41 API calls __Getctype 33001->33041 33003 a570cd 33042 a65b15 41 API calls std::_Locinfo::_W_Getmonths 33003->33042 33006 a576f3 33005->33006 33007 a57709 ___crtLCMapStringW 33005->33007 33043 a57370 14 API calls std::_Stofx_v2 33006->33043 33007->33006 33010 a57720 33007->33010 33009 a576f8 33044 a57017 41 API calls collate 33009->33044 33017 a57702 33010->33017 33045 a65c2a 6 API calls 2 library calls 33010->33045 33013 a5776e 33014 a5778f 33013->33014 33015 a57778 33013->33015 33019 a577a5 33014->33019 33020 a57794 33014->33020 33046 a57370 14 API calls std::_Stofx_v2 33015->33046 33016 a52937 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 5 API calls 33021 a353d3 33016->33021 33017->33016 33024 a57826 33019->33024 33030 a577b9 __alloca_probe_16 33019->33030 33049 a65bdc 33019->33049 33048 a57370 14 API calls std::_Stofx_v2 33020->33048 33021->32893 33021->32899 33022 a5777d 33047 a57370 14 API calls std::_Stofx_v2 33022->33047 33059 a57370 14 API calls std::_Stofx_v2 33024->33059 33028 a5782b 33060 a57370 14 API calls std::_Stofx_v2 33028->33060 33030->33024 33033 a577e6 33030->33033 33031 a57813 33061 a52326 14 API calls std::_Locinfo::_Getmonths 33031->33061 33056 a65c2a 6 API calls 2 library calls 33033->33056 33035 a57802 33036 a57809 33035->33036 33037 a5781a 33035->33037 33057 a5b762 41 API calls 2 library calls 33036->33057 33058 a57370 14 API calls std::_Stofx_v2 33037->33058 33040->33001 33041->33003 33042->32999 33043->33009 33044->33017 33045->33013 33046->33022 33047->33017 33048->33009 33050 a65c1a 33049->33050 33055 a65bea std::_Locinfo::_W_Getmonths 33049->33055 33063 a57370 14 API calls std::_Stofx_v2 33050->33063 33052 a65c05 RtlAllocateHeap 33053 a65c18 33052->33053 33052->33055 33053->33030 33055->33050 33055->33052 33062 a6bf83 EnterCriticalSection LeaveCriticalSection std::_Locinfo::_W_Getmonths 33055->33062 33056->33035 33057->33031 33058->33031 33059->33028 33060->33031 33061->33017 33062->33055 33063->33053 33065 a71b40 33068 a6b805 33065->33068 33069 a6b80e 33068->33069 33070 a6b840 33068->33070 33074 a65887 33069->33074 33075 a65892 33074->33075 33076 a65898 33074->33076 33125 a675d7 6 API calls std::_Locinfo::_Locinfo_Addcats 33075->33125 33080 a6589e 33076->33080 33126 a67616 6 API calls std::_Locinfo::_Locinfo_Addcats 33076->33126 33079 a658b2 33079->33080 33081 a658b6 33079->33081 33084 a658a3 33080->33084 33134 a62a07 41 API calls CallCatchBlock 33080->33134 33127 a670bb 14 API calls 2 library calls 33081->33127 33102 a6b610 33084->33102 33085 a658c2 33087 a658df 33085->33087 33088 a658ca 33085->33088 33130 a67616 6 API calls std::_Locinfo::_Locinfo_Addcats 33087->33130 33128 a67616 6 API calls std::_Locinfo::_Locinfo_Addcats 33088->33128 33091 a658d6 33129 a653b8 14 API calls 2 library calls 33091->33129 33092 a658eb 33093 a658fe 33092->33093 33094 a658ef 33092->33094 33132 a655fa 14 API calls std::_Stofx_v2 33093->33132 33131 a67616 6 API calls std::_Locinfo::_Locinfo_Addcats 33094->33131 33098 a65909 33133 a653b8 14 API calls 2 library calls 33098->33133 33099 a658dc 33099->33080 33101 a65910 33101->33084 33135 a6b765 33102->33135 33107 a65bdc std::_Locinfo::_W_Getmonths 15 API calls 33108 a6b664 33107->33108 33109 a6b66c 33108->33109 33110 a6b67a 33108->33110 33153 a653b8 14 API calls 2 library calls 33109->33153 33154 a6b860 51 API calls 2 library calls 33110->33154 33113 a6b6a7 33115 a6b6b2 33113->33115 33120 a6b6cd 33113->33120 33114 a6b653 33114->33070 33155 a57370 14 API calls std::_Stofx_v2 33115->33155 33117 a6b6b7 33156 a653b8 14 API calls 2 library calls 33117->33156 33118 a6b6f9 33124 a6b742 33118->33124 33158 a6b282 41 API calls 2 library calls 33118->33158 33120->33118 33157 a653b8 14 API calls 2 library calls 33120->33157 33159 a653b8 14 API calls 2 library calls 33124->33159 33125->33076 33126->33079 33127->33085 33128->33091 33129->33099 33130->33092 33131->33091 33132->33098 33133->33101 33136 a6b771 CallCatchBlock 33135->33136 33142 a6b78b 33136->33142 33160 a61c9a EnterCriticalSection 33136->33160 33138 a6b79b 33145 a6b7c7 33138->33145 33161 a653b8 14 API calls 2 library calls 33138->33161 33139 a6b63a 33146 a6b390 33139->33146 33142->33139 33163 a62a07 41 API calls CallCatchBlock 33142->33163 33162 a6b7e4 LeaveCriticalSection std::_Lockit::~_Lockit 33145->33162 33147 a57078 std::_Locinfo::_W_Getmonths 41 API calls 33146->33147 33148 a6b3a2 33147->33148 33149 a6b3c3 33148->33149 33150 a6b3b1 GetOEMCP 33148->33150 33151 a6b3da 33149->33151 33152 a6b3c8 GetACP 33149->33152 33150->33151 33151->33107 33151->33114 33152->33151 33153->33114 33154->33113 33155->33117 33156->33114 33157->33118 33158->33124 33159->33114 33160->33138 33161->33145 33162->33142

                                        Executed Functions

                                        Function 00A34BA0 Relevance: 36.5, APIs: 24, Instructions: 502comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 a34ba0-a34bf1 call a357c0 3 a34bf3-a34c10 call a352f0 0->3 4 a34c15-a34c4d CoInitialize CoCreateInstance 0->4 12 a35190-a351aa call a52937 3->12 6 a34c58-a34ca6 VariantInit 4->6 7 a34c4f-a34c53 4->7 17 a34cb1-a34cd5 IUnknown_QueryService 6->17 18 a34ca8-a34cac 6->18 9 a35169-a35172 7->9 10 a35174-a35176 9->10 11 a3517a-a35185 9->11 10->11 14 a35187 CoUninitialize 11->14 15 a3518d 11->15 14->15 15->12 21 a34ce0-a34cfa 17->21 22 a34cd7-a34cdb 17->22 20 a3514b-a35154 18->20 23 a35156-a35158 20->23 24 a3515c-a35167 VariantClear 20->24 28 a34d05-a34d26 21->28 29 a34cfc-a34d00 21->29 25 a3513a-a35143 22->25 23->24 24->9 25->20 27 a35145-a35147 25->27 27->20 33 a34d31-a34d4f IUnknown_QueryInterface_Proxy 28->33 34 a34d28-a34d2c 28->34 30 a35129-a35132 29->30 30->25 32 a35134-a35136 30->32 32->25 36 a34d51-a34d55 33->36 37 a34d5a-a34d74 33->37 35 a35118-a35121 34->35 35->30 38 a35123-a35125 35->38 39 a35107-a35110 36->39 42 a34d76-a34d7a 37->42 43 a34d7f-a34d9d IUnknown_QueryInterface_Proxy 37->43 38->30 39->35 40 a35112-a35114 39->40 40->35 44 a350f6-a350ff 42->44 45 a34da8-a34dc0 CoAllowSetForegroundWindow 43->45 46 a34d9f-a34da3 43->46 44->39 49 a35101-a35103 44->49 47 a34dc2-a34dc4 45->47 48 a34e28-a34e35 SysAllocString 45->48 50 a350e5-a350ee 46->50 52 a34dca-a34ded SysAllocString 47->52 53 a34e3b 48->53 54 a351ba-a35201 call a311d0 48->54 49->39 50->44 51 a350f0-a350f2 50->51 51->44 55 a34df8-a34e1b SysAllocString 52->55 56 a34def-a34df2 52->56 53->52 64 a35203-a35205 54->64 65 a35209-a35217 54->65 59 a34e3d-a34ebf VariantInit 55->59 60 a34e1d-a34e20 55->60 56->55 58 a351b0-a351b5 call a3cf40 56->58 58->54 67 a34ec1-a34ec5 59->67 68 a34eca-a34ece 59->68 60->58 63 a34e26 60->63 63->59 64->65 69 a350a0-a350df VariantClear * 4 SysFreeString 67->69 70 a34ed4 68->70 71 a3509c 68->71 69->50 72 a34ed6-a34f0c 70->72 71->69 73 a34f10-a34f19 72->73 73->73 74 a34f1b-a34fa2 call a324c0 call a312f0 call a33860 call a32e60 * 2 73->74 85 a34fa4-a34fa8 74->85 86 a34faa 74->86 87 a34fb1-a34fb3 85->87 86->87 88 a35036-a35046 87->88 89 a34fb9-a34fc3 87->89 90 a35048-a35057 88->90 91 a3508d-a35096 88->91 92 a34fd5-a35009 OpenProcess WaitForSingleObject 89->92 93 a34fc5-a34fd3 call a34270 89->93 97 a3506a-a3506c 90->97 98 a35059-a35064 90->98 91->71 91->72 95 a35013-a35023 92->95 96 a3500b-a3500d GetExitCodeProcess 92->96 93->92 95->88 100 a35025-a3502c CloseHandle 95->100 96->95 102 a35075-a35086 97->102 103 a3506e-a3506f LocalFree 97->103 98->97 101 a351ab call a57027 98->101 100->88 101->58 102->91 103->102
                                        APIs
                                          • Part of subcall function 00A357C0: GetCurrentProcess.KERNEL32(00000008,?,9666CEAE,?,-00000010), ref: 00A357D0
                                          • Part of subcall function 00A357C0: OpenProcessToken.ADVAPI32(00000000), ref: 00A357D7
                                        • CoInitialize.OLE32(00000000), ref: 00A34C15
                                        • CoCreateInstance.OLE32(00A772B0,00000000,00000004,00A85104,00000000,?), ref: 00A34C45
                                        • CoUninitialize.OLE32 ref: 00A35187
                                        • _com_issue_error.COMSUPP ref: 00A351B5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
                                        • String ID:
                                        • API String ID: 928366108-0
                                        • Opcode ID: 7be05f67ce5bd2757ecfd6eede0780e0df8563027ab3d905b61f7f5f7954bd98
                                        • Instruction ID: fc80396bc7512e3358e9b0c8ce5e73e8e39459b6fecb58982238c7629b736c6a
                                        • Opcode Fuzzy Hash: 7be05f67ce5bd2757ecfd6eede0780e0df8563027ab3d905b61f7f5f7954bd98
                                        • Instruction Fuzzy Hash: 9C228D70E04388DFEB11DFB8CD48BADBBB4AF49304F248199E809EB291D7759A45CB51
                                        Function 00A36A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 105 a36a50-a36a82 106 a36aa3-a36add GetCurrentProcess OpenProcessToken 105->106 107 a36a84-a36aa2 call a52937 105->107 111 a36b09-a36b1e call a35de0 106->111 112 a36adf-a36af2 106->112 119 a36b20-a36b2c call a31770 111->119 120 a36b2e-a36b30 111->120 113 a36b02-a36b04 112->113 114 a36af4-a36afb CloseHandle 112->114 116 a36c24-a36c2b call a357c0 113->116 114->113 125 a36c31-a36c35 116->125 126 a36ddb-a36e06 call a32310 116->126 119->112 123 a36b32-a36b3d call a31770 120->123 124 a36b3f-a36ba5 call a35f40 call a324c0 120->124 123->112 141 a36ba7-a36ba9 124->141 142 a36bdb 124->142 125->126 131 a36c3b-a36c3d 125->131 137 a36f96-a36fa0 call a311d0 126->137 138 a36e0c-a36e2b call a346f0 126->138 131->126 136 a36c43-a36c59 call a32310 131->136 136->137 149 a36c5f-a36c7e call a346f0 136->149 158 a36e59-a36e6a call a32310 138->158 159 a36e2d-a36e2f 138->159 146 a36c88-a36c8a 141->146 147 a36baf-a36bb8 141->147 148 a36bdd-a36c14 call a32e60 * 2 call a31770 142->148 146->148 147->142 152 a36bba-a36bbc 147->152 148->116 182 a36c16-a36c1d FindCloseChangeNotification 148->182 173 a36c80-a36c82 149->173 174 a36cad-a36cc9 call a32310 149->174 155 a36bbf 152->155 155->142 160 a36bc1-a36bc4 155->160 158->137 175 a36e70-a36e8c call a346f0 158->175 163 a36e31-a36e33 159->163 164 a36e35-a36e3a 159->164 160->146 165 a36bca-a36bd9 160->165 169 a36e4f-a36e54 call a34ac0 163->169 170 a36e40-a36e49 164->170 165->142 165->155 169->158 170->170 180 a36e4b-a36e4d 170->180 177 a36c84-a36c86 173->177 178 a36c8f-a36c91 173->178 174->137 189 a36ccf-a36ceb call a346f0 174->189 193 a36eb9-a36ec6 call a32310 175->193 194 a36e8e-a36e90 175->194 183 a36ca3-a36ca8 call a34ac0 177->183 184 a36c94-a36c9d 178->184 180->169 182->116 183->174 184->184 187 a36c9f-a36ca1 184->187 187->183 203 a36d19-a36d26 call a32310 189->203 204 a36ced-a36cef 189->204 193->137 210 a36ecc-a36ee8 call a346f0 193->210 196 a36e92-a36e94 194->196 197 a36e96-a36e9b 194->197 200 a36eaf-a36eb4 call a34ac0 196->200 201 a36ea0-a36ea9 197->201 200->193 201->201 208 a36eab-a36ead 201->208 203->137 217 a36d2c-a36d48 call a346f0 203->217 205 a36cf1-a36cf3 204->205 206 a36cf5-a36cfa 204->206 211 a36d0f-a36d14 call a34ac0 205->211 212 a36d00-a36d09 206->212 208->200 221 a36f10-a36f47 call a352f0 210->221 222 a36eea-a36eec 210->222 211->203 212->212 215 a36d0b-a36d0d 212->215 215->211 231 a36d70-a36d85 call a34ba0 217->231 232 a36d4a-a36d4c 217->232 236 a36f51-a36f65 221->236 237 a36f49-a36f4c 221->237 224 a36ef2-a36ef4 222->224 225 a36eee-a36ef0 222->225 229 a36ef7-a36f00 224->229 228 a36f06-a36f0b call a34ac0 225->228 228->221 229->229 234 a36f02-a36f04 229->234 244 a36d8a-a36da4 231->244 238 a36d52-a36d54 232->238 239 a36d4e-a36d50 232->239 234->228 241 a36f67-a36f6a 236->241 242 a36f6f-a36f76 236->242 237->236 243 a36d57-a36d60 238->243 240 a36d66-a36d6b call a34ac0 239->240 240->231 241->242 247 a36f79-a36f84 242->247 243->243 245 a36d62-a36d64 243->245 248 a36da6-a36da9 244->248 249 a36dae-a36dc2 244->249 245->240 250 a36f86-a36f89 247->250 251 a36f8e 247->251 248->249 252 a36dc4-a36dc7 249->252 253 a36dcc-a36dd6 249->253 250->251 251->137 252->253 253->247
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00A36AC8
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00A36AD5
                                        • CloseHandle.KERNEL32(00000000), ref: 00A36AF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Process$CloseCurrentHandleOpenToken
                                        • String ID: S-1-5-18
                                        • API String ID: 4052875653-4289277601
                                        • Opcode ID: 02225aa51312519ee7889b01662db7618b2e705872e6cd70df36fda1a03ca21b
                                        • Instruction ID: 63e0014130d2c7eb2e6a6adfa95dbafcf5a93358f762c65c3a3834238b1098dd
                                        • Opcode Fuzzy Hash: 02225aa51312519ee7889b01662db7618b2e705872e6cd70df36fda1a03ca21b
                                        • Instruction Fuzzy Hash: D302AF70900659EFDF14DFA4C9557EEBBB5EF45354F18C658E802AB281EB30AE05CB90
                                        Function 00A357C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 254 a357c0-a357df GetCurrentProcess OpenProcessToken 255 a357e1-a357e6 254->255 256 a357e7-a35814 GetTokenInformation 254->256 257 a35816-a3581b 256->257 258 a3581e-a3582e CloseHandle 256->258 257->258
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000008,?,9666CEAE,?,-00000010), ref: 00A357D0
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00A357D7
                                        • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00A3580C
                                        • CloseHandle.KERNEL32(?), ref: 00A35822
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                        • String ID:
                                        • API String ID: 215268677-0
                                        • Opcode ID: dab2901b0cc05eade75243fbb4ebf3bec3b9addc71f214b6421aac5436e18490
                                        • Instruction ID: 664beb4b888a86a2ee3f604c78877bfafe619bf67d8ae6df32d9d09334dbd1ac
                                        • Opcode Fuzzy Hash: dab2901b0cc05eade75243fbb4ebf3bec3b9addc71f214b6421aac5436e18490
                                        • Instruction Fuzzy Hash: 51F01D74548301ABEB10DF64EC49BAE7BE8BB44700F508819F985C21A0D379965DDB63
                                        Function 00A3CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCommandLineW.KERNEL32(9666CEAE,?,?,?,?,?,?,?,?,?,00A756D5,000000FF), ref: 00A3CDE8
                                          • Part of subcall function 00A31F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00A34251,9666CEAE,00000000,?,00000000,?,?,?,00A74400,000000FF,?), ref: 00A31F9D
                                        • ExitProcess.KERNEL32 ref: 00A3CEB1
                                          • Part of subcall function 00A36600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00A3667E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AllocCommandCreateExitFileLineLocalProcess
                                        • String ID: Full command line:
                                        • API String ID: 1878577176-831861440
                                        • Opcode ID: f6874bdd4143742b4dba705088de362a25a0170edeab1fda9c8759aa270beec4
                                        • Instruction ID: cb0239afba88e20d7b811a6d16efcb1bdafa60647be5cb074a0bd686827ebf0d
                                        • Opcode Fuzzy Hash: f6874bdd4143742b4dba705088de362a25a0170edeab1fda9c8759aa270beec4
                                        • Instruction Fuzzy Hash: 8C21F171D10214ABCB15FB70CE46BEE73B5AF44B50F148129F406AB292EF749B09CB91
                                        Function 00A35E40 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 291 a35e40-a35ebc GetTokenInformation 292 a35f20-a35f33 291->292 293 a35ebe-a35ec7 GetLastError 291->293 293->292 294 a35ec9-a35ed7 293->294 295 a35ed9-a35edc 294->295 296 a35ede 294->296 297 a35f0b 295->297 298 a35ee0-a35ee7 296->298 299 a35f0e-a35f1a GetTokenInformation 296->299 297->299 300 a35ef7-a35f08 call a54080 298->300 301 a35ee9-a35ef5 call a360d0 298->301 299->292 300->297 301->299
                                        APIs
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00A35E18,9666CEAE,?), ref: 00A35EB4
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00A35E18,9666CEAE,?), ref: 00A35EBE
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00A35E18,9666CEAE,?), ref: 00A35F1A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InformationToken$ErrorLast
                                        • String ID:
                                        • API String ID: 2567405617-0
                                        • Opcode ID: 90fbf057d9c42089e0b9b1ba437c12e6403827ae39ff3af3a9a3918dc66c7879
                                        • Instruction ID: 8d3ee22d99b4092adf7138f4201fb273e5b4bab927c96babf4637e6cf53b8690
                                        • Opcode Fuzzy Hash: 90fbf057d9c42089e0b9b1ba437c12e6403827ae39ff3af3a9a3918dc66c7879
                                        • Instruction Fuzzy Hash: E3318D71A00605AFDB24CFA9CD45BAFFBF9FB44714F20852EF415A7280D7B5A9048BA0
                                        Function 00A65BDC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 306 a65bdc-a65be8 307 a65c1a-a65c25 call a57370 306->307 308 a65bea-a65bec 306->308 315 a65c27-a65c29 307->315 310 a65c05-a65c16 RtlAllocateHeap 308->310 311 a65bee-a65bef 308->311 313 a65bf1-a65bf8 call a65245 310->313 314 a65c18 310->314 311->310 313->307 318 a65bfa-a65c03 call a6bf83 313->318 314->315 318->307 318->310
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00A63841,?,00A6543A,?,00000000,?,00A56CE7,00000000,00A63841,00000000,?,?,?,00A6363B), ref: 00A65C0E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 20b4931e765da03be203db3b81b36dda5f518cf80b4bd58ec35d5ebc74c928f1
                                        • Instruction ID: ed20ffb23a8979b1a2ad04ff878c6a72b2e81c74425e6ea32bdc4e3e4a684c9c
                                        • Opcode Fuzzy Hash: 20b4931e765da03be203db3b81b36dda5f518cf80b4bd58ec35d5ebc74c928f1
                                        • Instruction Fuzzy Hash: D5E06D31E15B219BD7312BB59E01B9E37BCAF917B1F150124FC66961E1DB20CC4186E5

                                        Non-executed Functions

                                        Function 00A352F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402libraryloadersleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 431 a352f0-a353a8 call a363a0 call a35d30 * 2 call a359c0 440 a357b0-a357ba call a311d0 431->440 441 a353ae-a353bd 431->441 442 a353c9-a353db call a57852 441->442 443 a353bf-a353c7 call a349a0 441->443 442->440 450 a353e1-a3540a call a35d30 442->450 443->442 453 a35414-a35419 450->453 454 a3540c-a3540f 450->454 455 a354cf-a3551b 453->455 456 a3541f-a35429 453->456 454->453 458 a35529-a3552b 455->458 459 a3551d-a35526 GetForegroundWindow 455->459 457 a35430-a35436 456->457 460 a35456-a35458 457->460 461 a35438-a3543b 457->461 462 a35531-a35535 458->462 463 a355f7-a35607 ShellExecuteExW 458->463 459->458 466 a3545b-a3545d 460->466 464 a35452-a35454 461->464 465 a3543d-a35445 461->465 467 a35540-a3554c 462->467 468 a35537-a3553e 462->468 469 a35614-a35616 463->469 470 a35609-a35612 call a35890 463->470 464->466 465->460 475 a35447-a35450 465->475 476 a35493-a354cc GetWindowsDirectoryW call a35b10 * 2 466->476 477 a3545f 466->477 471 a35550-a3555d 467->471 468->467 468->468 473 a35646-a35666 call a35b30 469->473 474 a35618-a3561e 469->474 470->469 471->471 478 a3555f-a3556b 471->478 497 a356fd-a35702 473->497 498 a3566c-a35696 GetModuleHandleW GetProcAddress AllowSetForegroundWindow 473->498 480 a35620-a35623 474->480 481 a35625-a3563b ShellExecuteExW 474->481 475->457 475->464 476->455 484 a35464-a3546a 477->484 485 a35570-a3557d 478->485 480->473 480->481 481->473 486 a3563d-a35641 call a35890 481->486 489 a3548a-a3548c 484->489 490 a3546c-a3546f 484->490 485->485 493 a3557f-a355f5 call a364a0 * 5 485->493 486->473 494 a3548f-a35491 489->494 491 a35471-a35479 490->491 492 a35486-a35488 490->492 491->489 499 a3547b-a35484 491->499 492->494 493->463 494->455 494->476 502 a35721-a35744 call a35940 497->502 503 a35704-a3570c 497->503 498->497 510 a35698-a3569f 498->510 499->484 499->492 512 a35746-a35749 502->512 513 a3574e-a35762 502->513 503->502 505 a3570e-a3571b WaitForSingleObject GetExitCodeProcess 503->505 505->502 510->497 514 a356a1-a356b2 GetModuleHandleW GetProcAddress 510->514 512->513 517 a35764-a35767 513->517 518 a3576c-a35781 513->518 515 a356b4-a356c1 514->515 516 a356fa 514->516 526 a356c3-a356c6 515->526 516->497 517->518 520 a35783-a35786 518->520 521 a3578b-a357af call a52937 518->521 520->521 529 a356c8-a356eb Sleep EnumWindows 526->529 530 a356ef-a356f1 526->530 529->526 532 a356ed 529->532 530->516 533 a356f3-a356f4 BringWindowToTop 530->533 532->533 533->516
                                        APIs
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00A3549C
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 00A3551D
                                        • ShellExecuteExW.SHELL32(?), ref: 00A35601
                                        • ShellExecuteExW.SHELL32(?), ref: 00A35637
                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00A3567C
                                        • GetProcAddress.KERNEL32(00000000), ref: 00A35685
                                        • AllowSetForegroundWindow.USER32(00000000), ref: 00A3568B
                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00A356AB
                                        • GetProcAddress.KERNEL32(00000000), ref: 00A356AE
                                        • Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00A356CA
                                        • EnumWindows.USER32(00A35830,?), ref: 00A356DF
                                        • BringWindowToTop.USER32(00000000), ref: 00A356F4
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00A35711
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00A3571B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
                                        • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
                                        • API String ID: 697762045-2796270252
                                        • Opcode ID: 3eca98360e3ddffd4fbfb51ed660a732d16f301fa62b82e5fedf724f10ffd0b4
                                        • Instruction ID: 74bb326b32a839fbf236dfa0f186378fe0ab939127354fef0168d3fd5dad6bc0
                                        • Opcode Fuzzy Hash: 3eca98360e3ddffd4fbfb51ed660a732d16f301fa62b82e5fedf724f10ffd0b4
                                        • Instruction Fuzzy Hash: 89E1C171E00A099BCB14EFB8C985BAEB7B5FF44710F548669F819AB291E7309D41CB90
                                        Function 00A3C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00A3CBB6
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00A8E6D0,00000800), ref: 00A3CBD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue
                                        • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
                                        • API String ID: 4153817207-482544602
                                        • Opcode ID: 3bccf14dd34396046544153640b349c8532753611cb76a98a03b1137f0768201
                                        • Instruction ID: 69bc62199b2d14db44efbd3998af7e841d8dcd24b9282e4b52f250b364c6c8c9
                                        • Opcode Fuzzy Hash: 3bccf14dd34396046544153640b349c8532753611cb76a98a03b1137f0768201
                                        • Instruction Fuzzy Hash: F9C1D435A042168BCB34AF24DC0137AB7A1FF95760F598459F88AEB291E771CD82C791
                                        Function 00A33860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A338CB
                                        • CloseHandle.KERNEL32(00000000), ref: 00A3390B
                                        • Process32FirstW.KERNEL32(?,00000000), ref: 00A3395F
                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00A3397A
                                        • CloseHandle.KERNEL32(00000000), ref: 00A33A8E
                                        • Process32NextW.KERNEL32(?,00000000), ref: 00A33AA2
                                        • CloseHandle.KERNEL32(?), ref: 00A33AF0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 708755948-0
                                        • Opcode ID: 05a46e697eb37936c5e99c8b7bb92256caca93ee5e991281795e4302b40c8758
                                        • Instruction ID: 0f4ed1fe94921f871b69664765c1bc345aa6f12ebd63bc0d851001ba2601aba0
                                        • Opcode Fuzzy Hash: 05a46e697eb37936c5e99c8b7bb92256caca93ee5e991281795e4302b40c8758
                                        • Instruction Fuzzy Hash: ACA10BB1D05249DFDF10CFA9D998BDEBBF8BF48304F248159E805AB290D7755A44CBA0
                                        Function 00A6F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 82372e5e322b604f89a20581f96eb2a1d3d60b94f25cc48188217b682f485d50
                                        • Instruction ID: e0d027c359377fc6bdad7d18fc64c5e023079af40c00e565deb1983e759c33d1
                                        • Opcode Fuzzy Hash: 82372e5e322b604f89a20581f96eb2a1d3d60b94f25cc48188217b682f485d50
                                        • Instruction Fuzzy Hash: 3BD20872E082298FDB65CF28DD40BEAB7B5EB44305F1481EAD84DE7241E774AE858F41
                                        Function 00A6E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00A6E8D1,00000002,00000000,?,?,?,00A6E8D1,?,00000000), ref: 00A6E64C
                                        • GetLocaleInfoW.KERNEL32(?,20001004,00A6E8D1,00000002,00000000,?,?,?,00A6E8D1,?,00000000), ref: 00A6E675
                                        • GetACP.KERNEL32(?,?,00A6E8D1,?,00000000), ref: 00A6E68A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: f8e7f6562827ae7f2560432b05e5dcbf7b88e956a2d646fa696e2a0ee6166e80
                                        • Instruction ID: dc0241c0bdeccc0811abb62c6b3655aa19e267a4823169c9734720ddcf7e954a
                                        • Opcode Fuzzy Hash: f8e7f6562827ae7f2560432b05e5dcbf7b88e956a2d646fa696e2a0ee6166e80
                                        • Instruction Fuzzy Hash: 48218E3EB00201AADB34CF54CA04A9B77B6AB74F64B568564E90AD7110FB32DE41C790
                                        Function 00A39CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: _swprintf$FreeLocal
                                        • String ID:
                                        • API String ID: 2429749586-0
                                        • Opcode ID: 75d1ab145dc4ed687d175b11cb4603cc55f2f56db52a0d0c6b0a0eef3f7ba80e
                                        • Instruction ID: f3fc1a7067c4bc0550122391bae1ac924153454683a11f923d2e58585d6e57f5
                                        • Opcode Fuzzy Hash: 75d1ab145dc4ed687d175b11cb4603cc55f2f56db52a0d0c6b0a0eef3f7ba80e
                                        • Instruction Fuzzy Hash: 63F1BB71E00219AFDF19DFA8DD41BAEBBB5FF49310F144229F811AB280D775A941CBA1
                                        Function 00A6E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00A6E894
                                        • IsValidCodePage.KERNEL32(00000000), ref: 00A6E8DD
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00A6E8EC
                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A6E934
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A6E953
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                        • String ID:
                                        • API String ID: 415426439-0
                                        • Opcode ID: 6d47cef9b6d0fb3b249ec51a95b7d4357319b01b095299e14895a8fc6dbab89a
                                        • Instruction ID: 406c9aed4e4f1946f488982bae533d7fea344ebfd58a3e6de86eb3a949e12890
                                        • Opcode Fuzzy Hash: 6d47cef9b6d0fb3b249ec51a95b7d4357319b01b095299e14895a8fc6dbab89a
                                        • Instruction Fuzzy Hash: C7518E75A00215AFEF20DFA9DD45ABE73B8FF59700F144569E904EB190EB70D944CBA0
                                        Function 00A65D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID:
                                        • API String ID: 3213747228-0
                                        • Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                        • Instruction ID: c2fc8d119e0b5410a5f008ea6ab513e860964660be8a10824d745bce374c8485
                                        • Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                        • Instruction Fuzzy Hash: 73B14572E046459FDF15CF78C881BEEBBB5EF59300F15816AE905AB241D235DE01CBA1
                                        Function 00A6B02D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00A6B0C8
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00A6B143
                                        • FindClose.KERNEL32(00000000), ref: 00A6B165
                                        • FindClose.KERNEL32(00000000), ref: 00A6B188
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID:
                                        • API String ID: 1164774033-0
                                        • Opcode ID: 3d8bdf9d0e52d62b620ccfbdd8e4993543a9aa8b6f31938fbb20a0615eb09354
                                        • Instruction ID: 2d7205298f0444824a31aecf868e5f786412aa38823a1175bfb51c7608ee6c0e
                                        • Opcode Fuzzy Hash: 3d8bdf9d0e52d62b620ccfbdd8e4993543a9aa8b6f31938fbb20a0615eb09354
                                        • Instruction Fuzzy Hash: CF41B671910619AEDB20EFA8DD99AAFB7B8EB85305F108195E419D7180E7309EC48F70
                                        Function 00A533A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A533B4
                                        • IsDebuggerPresent.KERNEL32 ref: 00A53480
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A534A0
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00A534AA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID:
                                        • API String ID: 254469556-0
                                        • Opcode ID: fa977d39f8830a1c9d90b08323651168af0f189e19a8a4ee7559a56512f53f63
                                        • Instruction ID: 15b81e472d5065eb10b7a9bda48eb35c3f4b11f1f75a5486193445311be0da8a
                                        • Opcode Fuzzy Hash: fa977d39f8830a1c9d90b08323651168af0f189e19a8a4ee7559a56512f53f63
                                        • Instruction Fuzzy Hash: 7B313875D0521C9BDF10DFA0D989BCDBBB8BF08305F1041AAE50CAB250EB719B898F44
                                        Function 00A3D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A3C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,9666CEAE,?,00A73D30,000000FF), ref: 00A3C657
                                          • Part of subcall function 00A3C630: GetLastError.KERNEL32(?,00000000,00000000,9666CEAE,?,00A73D30,000000FF), ref: 00A3C661
                                        • IsDebuggerPresent.KERNEL32(?,?,00A88AF0), ref: 00A3D0D8
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00A88AF0), ref: 00A3D0E7
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A3D0E2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 3511171328-631824599
                                        • Opcode ID: 0a963ab7b62be8e112ba6ef9197fc322d9c5811f32b464ef5d6c7b3d5039f26e
                                        • Instruction ID: d66b81ec7d358c121f26673c0df710286789591925b82dce2bcaaf55d54047c3
                                        • Opcode Fuzzy Hash: 0a963ab7b62be8e112ba6ef9197fc322d9c5811f32b464ef5d6c7b3d5039f26e
                                        • Instruction Fuzzy Hash: 70E09270204741CFD324EF78ED0474A7BE4AF12700F00C96DF49AD2651EBB4D48A8BA1
                                        Function 00A6E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A6E28B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A6E2D5
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A6E39B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InfoLocale$ErrorLast
                                        • String ID:
                                        • API String ID: 661929714-0
                                        • Opcode ID: 9c5d16ec64d549edc0176c592b719bdd5ac60d40f8dd2f96cf4900ec46c6d408
                                        • Instruction ID: 6a96bdb2466e03d8497f7e674fee6135ae9fc04ef789024ed519d9e0f0c8b883
                                        • Opcode Fuzzy Hash: 9c5d16ec64d549edc0176c592b719bdd5ac60d40f8dd2f96cf4900ec46c6d408
                                        • Instruction Fuzzy Hash: 3C619D799002079FEB28DF28CD86BAA77B8FF14301F108179ED15CA295EB79D985CB50
                                        Function 00A56E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A56F13
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A56F1D
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00A56F2A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 17277b23a3d097ca1ee3e1d0bc07aee8f94733d90f4c9b5e88adfb93d827ca33
                                        • Instruction ID: b61681c40364d63fc5e3a607d4ef8d2c675f89648e9d40448ea762a5824be667
                                        • Opcode Fuzzy Hash: 17277b23a3d097ca1ee3e1d0bc07aee8f94733d90f4c9b5e88adfb93d827ca33
                                        • Instruction Fuzzy Hash: 1831C575901218ABCB21DF64DD897CDBBB8BF18311F5041EAE81CA7250E7709F858F44
                                        Function 00A345B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadResource.KERNEL32(00000000,00000000,9666CEAE,00000001,00000000,?,00000000,00A74460,000000FF,?,00A3474D,00A33778,?,00000000,00000000,?), ref: 00A345DB
                                        • LockResource.KERNEL32(00000000,?,00000000,00A74460,000000FF,?,00A3474D,00A33778,?,00000000,00000000,?,?,?,?,00A33778), ref: 00A345E6
                                        • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00A74460,000000FF,?,00A3474D,00A33778,?,00000000,00000000,?,?,?), ref: 00A345F4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Resource$LoadLockSizeof
                                        • String ID:
                                        • API String ID: 2853612939-0
                                        • Opcode ID: cc94c4f59ba48952184b35cd7db482d2f9ac0361e74b4b57b9be52fd63682768
                                        • Instruction ID: ca1f5d0663eac482ff4a2f9991248bf0ab5523937f9d26ba05e44b0d959246ed
                                        • Opcode Fuzzy Hash: cc94c4f59ba48952184b35cd7db482d2f9ac0361e74b4b57b9be52fd63682768
                                        • Instruction Fuzzy Hash: 0811C632A046949BC735CF59DC55B6AF7FCE789725F00493AFC1AD3250EB35AC018690
                                        Function 00A5E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                        • Instruction ID: c7f4342c3c82e58bdad8c1a59dbe7dab67ed1adfe671a420b704deff3c6b4851
                                        • Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                        • Instruction Fuzzy Hash: 74F14171E002199FDF18CF69C9806ADB7B1FF88325F158269E815AB381E731AE05CF90
                                        Function 00A67B1F Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00A67F64,00000000,00000000,00000000), ref: 00A67E23
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InformationTimeZone
                                        • String ID:
                                        • API String ID: 565725191-0
                                        • Opcode ID: 8eb462875e162ab111d7d977daed237ed8d1bde48c26b3640b03d6a6f95c1838
                                        • Instruction ID: c402b3c04e4825d86b7a91819d782bb58ae6c2f923fa2ff1a4cdc11dd73d3ed0
                                        • Opcode Fuzzy Hash: 8eb462875e162ab111d7d977daed237ed8d1bde48c26b3640b03d6a6f95c1838
                                        • Instruction Fuzzy Hash: B9D11572A14215EBDB24EBA4DD02ABE7BB9EF04758F244556F901EB291F7308E41CB90
                                        Function 00A684BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A684B8,?,?,00000008,?,?,00A714E4,00000000), ref: 00A686EA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 6a8a739cf813969c933763c59aa583da33a2c6b5b84e056544caa58b1799fd89
                                        • Instruction ID: 4a50e3ee45e5e8d24cd58123fa7ce8a9dcb07dd43d41662832b6616c4b65e562
                                        • Opcode Fuzzy Hash: 6a8a739cf813969c933763c59aa583da33a2c6b5b84e056544caa58b1799fd89
                                        • Instruction Fuzzy Hash: 1EB14B35610608CFDB14CF28C48AB657BF4FF45364F258658E99ACF2A1CB39E992CB40
                                        Function 00A535A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A535BF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 6e3e6ddf0705ef3c11ec7ad22d0dd29c6d5b1952c03b487ab9ac2211321a1b45
                                        • Instruction ID: 7f0e19822e11b9f178e2623326e531ebdb3e9d256f727ed9442fafb8ec705e4f
                                        • Opcode Fuzzy Hash: 6e3e6ddf0705ef3c11ec7ad22d0dd29c6d5b1952c03b487ab9ac2211321a1b45
                                        • Instruction Fuzzy Hash: 4951A0B2D11205DFEB15CF99E8817AABBF0FB88395F24852AC805EB390D3749A05CF50
                                        Function 00A5A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: e1d658e69434e423c1e8fd0e1649b5b571970244c2a778b1969ef777af2b5269
                                        • Instruction ID: 559c53ab1728088bc2407c209c17fd906706f61293bc797dee2579f8e8272d0d
                                        • Opcode Fuzzy Hash: e1d658e69434e423c1e8fd0e1649b5b571970244c2a778b1969ef777af2b5269
                                        • Instruction Fuzzy Hash: F4C1C074B006468FCB28CF28C590A7EBBB1BF29312F284719DC5697691D730AD4ECB52
                                        Function 00A6E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A6E4DE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 0613303e06cdf1fc3c7da41b997a350953b6582e2b785bc0fc6156da1400f21f
                                        • Instruction ID: ba457d6d91b8261be0dbadd2d137921ff77bcd9d505cd5c86679d9cd8ed23756
                                        • Opcode Fuzzy Hash: 0613303e06cdf1fc3c7da41b997a350953b6582e2b785bc0fc6156da1400f21f
                                        • Instruction Fuzzy Hash: 2221BE76A44206ABDB28EF24DD42ABA73B8EF04318F10007AFD06D6281FB34ED058B50
                                        Function 00A6E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • EnumSystemLocalesW.KERNEL32(00A6E237,00000001,00000000,?,-00000050,?,00A6E868,00000000,?,?,?,00000055,?), ref: 00A6E183
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: ba5f1a9cf0e98bf989b30d9ae4f0e5844fcc7939a177f0a4f1fb028a7f438876
                                        • Instruction ID: ab80be297363a1c2b24f9fd1571428b4bf01a6178f6b4ee3d2b99253af431c21
                                        • Opcode Fuzzy Hash: ba5f1a9cf0e98bf989b30d9ae4f0e5844fcc7939a177f0a4f1fb028a7f438876
                                        • Instruction Fuzzy Hash: 3111293E2007019FDF18DF38C8A15BAB7A2FF80719B15452CE54647A40D3717943DB40
                                        Function 00A6E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A6E453,00000000,00000000,?), ref: 00A6E6E5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale
                                        • String ID:
                                        • API String ID: 3736152602-0
                                        • Opcode ID: 80f112f882a7c72780b7d81fa45a1f933ddb7a13f5dc48688ed338fc670f5389
                                        • Instruction ID: ab5fec572e54acec2690ae6bb9bb616dc55e74bd99be5a210a9e4a1ae3733e04
                                        • Opcode Fuzzy Hash: 80f112f882a7c72780b7d81fa45a1f933ddb7a13f5dc48688ed338fc670f5389
                                        • Instruction Fuzzy Hash: 1DF0CD3AA00212BFDB28DB64CD09BFA7778EB40754F154834EC15A3180EA74FD41C690
                                        Function 00A6E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • EnumSystemLocalesW.KERNEL32(00A6E48A,00000001,?,?,-00000050,?,00A6E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00A6E1F6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: eed596a8b92a445b61fd3d208ec91630a044d5d1a34341f18ac7115a621a6e86
                                        • Instruction ID: 01e4f7305da080d095d5a02c7af9528a76462cf269637884fa313abb916eb6e5
                                        • Opcode Fuzzy Hash: eed596a8b92a445b61fd3d208ec91630a044d5d1a34341f18ac7115a621a6e86
                                        • Instruction Fuzzy Hash: 30F0463A2003046FCB249F348C85A7A7BA9FF81728F04842CF9058BA80D6B19C42DB50
                                        Function 00A67132 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A61C9A: EnterCriticalSection.KERNEL32(-00A8DE50,?,00A63576,?,00A8A078,0000000C,00A63841,?), ref: 00A61CA9
                                        • EnumSystemLocalesW.KERNEL32(Function_00037125,00000001,00A8A1D8,0000000C,00A67554,?), ref: 00A6716A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 6e35b9da40b2617744530e68117ed68fb2b97ae81439dc2d4a4a809610bf615d
                                        • Instruction ID: feb94750599f2919c4e4185781e6aa9ee5a97978044e1f47ede48e1d8b2c16e9
                                        • Opcode Fuzzy Hash: 6e35b9da40b2617744530e68117ed68fb2b97ae81439dc2d4a4a809610bf615d
                                        • Instruction Fuzzy Hash: 60F06D72E54200EFD704EF98E946B9C7BF0FB49725F00866AF415DB2A0EB7549418F50
                                        Function 00A6E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A657CC: GetLastError.KERNEL32(?,00000008,00A6AD4C), ref: 00A657D0
                                          • Part of subcall function 00A657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00A65872
                                        • EnumSystemLocalesW.KERNEL32(00A6E01F,00000001,?,?,?,00A6E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00A6E0FD
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2417226690-0
                                        • Opcode ID: af5f6195c0e8916997a50c5ef95af34efde77f8a2ee577070a56f126c9e570cc
                                        • Instruction ID: 4737d638c18ccf80c2ae8a8300bdcaed168aa6fd54d0687ec4d22acb425d8e79
                                        • Opcode Fuzzy Hash: af5f6195c0e8916997a50c5ef95af34efde77f8a2ee577070a56f126c9e570cc
                                        • Instruction Fuzzy Hash: 71F0E53A3402059BCB04EF75DC4566A7FA9EFC2760F074468EA198B651C6719882DB90
                                        Function 00A523F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00A500E2,00000000,00000000,00000004,00A4ED14,00000000,00000004,00A4F127,00000000,00000000), ref: 00A52410
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2b33984ded7514c91bcc620f2c39b64e790d603f002edfbc384b5cb5e4787ce8
                                        • Instruction ID: d9ca1b153e7b83e2c63a43098317079a0949ed196ca3ac898243a52473278490
                                        • Opcode Fuzzy Hash: 2b33984ded7514c91bcc620f2c39b64e790d603f002edfbc384b5cb5e4787ce8
                                        • Instruction Fuzzy Hash: 31E0D832664104BAD7258BB8AE0FFBA7AB8F70270BF504151FD02D40D1DAB1CA44A361
                                        Function 00A676AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00A64E3F,?,20001004,00000000,00000002,?,?,00A64441), ref: 00A676E3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 216015abb3bcfd02e12ebefb7cdcbc52df6f16e3a0204f0a073781934be4fd51
                                        • Instruction ID: 112a60a75daaec527e658af7f599ca24b50e8a383e12ae6f3f2a16be7987d5b1
                                        • Opcode Fuzzy Hash: 216015abb3bcfd02e12ebefb7cdcbc52df6f16e3a0204f0a073781934be4fd51
                                        • Instruction Fuzzy Hash: 0BE04F3651862CBBCF126F61DD08AAE3F36EF44754F004020FC0566171CB318D61ABD5
                                        Function 00A5353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00A53077), ref: 00A53544
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 37dbafdbe87c79226b93f069a4a204cbcfd2990fba9cdc54e568c06c4e6f7552
                                        • Instruction ID: 176c8f009845889b4a51b13dbe7ff74536cfc77e30077142828f19e6231bf441
                                        • Opcode Fuzzy Hash: 37dbafdbe87c79226b93f069a4a204cbcfd2990fba9cdc54e568c06c4e6f7552
                                        • Instruction Fuzzy Hash:
                                        Function 00A32310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A52C98: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CA3
                                          • Part of subcall function 00A52C98: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CE0
                                        • GetProcessHeap.KERNEL32 ref: 00A32365
                                          • Part of subcall function 00A52C4E: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C58
                                          • Part of subcall function 00A52C4E: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C8B
                                          • Part of subcall function 00A52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00A52D02
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                        • String ID:
                                        • API String ID: 325507722-0
                                        • Opcode ID: abbfdcdcd4f45cd2cc46a47d4ce310601ce54b2a91001a72ea1480ecf50536cc
                                        • Instruction ID: f183dad40d0fa5ca2d16d8c84119294457dcb853862a1c73d9b74048412f021c
                                        • Opcode Fuzzy Hash: abbfdcdcd4f45cd2cc46a47d4ce310601ce54b2a91001a72ea1480ecf50536cc
                                        • Instruction Fuzzy Hash: 2621BDB0941280EFD310EF98ED06B4977B0FB26325F004638E825973E0F770190A8F52
                                        Function 00A60A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: d1597c666eef88f70c3d305a0c12419302900beecb527de7aea05fa262c6874b
                                        • Instruction ID: 14be22ba92736cc669f5b29719089b956dd3066c5d4bcfdf14789816e264544c
                                        • Opcode Fuzzy Hash: d1597c666eef88f70c3d305a0c12419302900beecb527de7aea05fa262c6874b
                                        • Instruction Fuzzy Hash: 5A329E74A0021ADFCF28CFA8C991ABEBBB5EF45304F18416DDD45A7345D632AE46CB90
                                        Function 00A692A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7676ebb8353089d8efab13f8034101a48c1790b03e8dbe6cb33738656e9a97e9
                                        • Instruction ID: c521142014d5e66d8c8c1684b6910f190d8a79becb31eb6c051de2908e4b6003
                                        • Opcode Fuzzy Hash: 7676ebb8353089d8efab13f8034101a48c1790b03e8dbe6cb33738656e9a97e9
                                        • Instruction Fuzzy Hash: 8532E062D29F414DD7239674CC6233AA29CAFB73C4F15D727E81AB5AA9EB39C4C34100
                                        Function 00A5A915 Relevance: .4, Instructions: 388COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20b4463869c3e4c75c5f9de5f1a07c1b828e5eae8936768c477fe5927e7162a0
                                        • Instruction ID: 4a7020c37093859808208e3ffb30b813a34d459a84d8d11fdbfa87fe270ada24
                                        • Opcode Fuzzy Hash: 20b4463869c3e4c75c5f9de5f1a07c1b828e5eae8936768c477fe5927e7162a0
                                        • Instruction Fuzzy Hash: E7E1CD70700605CFCB24CF68C680ABAB7F1FF69312F258759D9569B291D730AD4ACB62
                                        Function 00A5C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                        • Instruction ID: e4bbff7eadda2d5f68f120db8275efc4f8ee095a75a784401a01b20d8eb0f473
                                        • Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                        • Instruction Fuzzy Hash: 18517272E00219AFDF14CF99C991AAEBBB2FF88310F19C059E815AB205D7349E54DB91
                                        Function 00A54920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: cfa1bcd661b9e8772165263bf357e9de155066ea14b7daaa28a4f216daf663a0
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: 6D110877205182C3D604C72ED4BA5B7E395FBCE32F72D436AD8918B758D232A9CD9600
                                        Function 00A6AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                        • Instruction ID: 2b92896c137d9890d485e92e0627947d1c5c5f494b78a03a35dabac38c5114f8
                                        • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                        • Instruction Fuzzy Hash: 5CE08C72911238EBCB14DB98CA08A8AF3FCEB84B01B15049AF601E3500C670DE00DBD1
                                        Function 00A62DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                        • Instruction ID: 50472dcf616b9186b15905be430a0e7c3cb38d0114f0b47bd3af26ade713cd2e
                                        • Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                        • Instruction Fuzzy Hash: 79C04C34141F40C6DE2A9A148AB17A93375B7A1782F94158CC5474BA86C51EAC87DB11
                                        Function 00A36600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 535 a36600-a36667 call a33170 call a370a0 540 a3666b-a36698 CreateFileW call a32e60 535->540 541 a36669 535->541 544 a366a1-a366bd 540->544 545 a3669a-a3669c 540->545 541->540 547 a36707-a3671a 544->547 548 a366bf-a366c2 544->548 546 a3696c-a3699f call a32e60 call a52937 545->546 549 a36720-a36728 547->549 548->547 551 a366c4-a366dd WideCharToMultiByte 548->551 549->549 552 a3672a-a36730 549->552 554 a36705 551->554 555 a366df-a36703 LocalAlloc WideCharToMultiByte 551->555 556 a36736-a3673c 552->556 557 a367bc-a367f5 WriteFile CloseHandle 552->557 554->547 555->547 561 a36743-a36746 556->561 562 a3673e-a36741 556->562 559 a368a1-a368a6 557->559 560 a367fb-a36819 557->560 569 a3694e-a36965 LocalFree 559->569 570 a368ac-a368c0 call a370a0 559->570 564 a36872-a3688e call a364a0 560->564 565 a3681b-a36835 MultiByteToWideChar 560->565 567 a36748-a3674b 561->567 568 a3674d-a36750 561->568 562->561 566 a367a6-a367a8 562->566 581 a36893-a3689a 564->581 582 a36890-a36891 LocalFree 564->582 571 a36837-a36867 LocalAlloc MultiByteToWideChar 565->571 572 a36869-a3686c 565->572 577 a367ad-a367b6 566->577 567->566 567->568 574 a36752-a36755 568->574 575 a36757-a3675e 568->575 569->546 585 a368c2 570->585 586 a368c4-a368ed ShellExecuteW call a32e60 570->586 571->572 572->564 574->566 574->575 579 a36760-a36762 575->579 577->556 577->557 583 a36764-a3676a 579->583 584 a3676e-a36773 579->584 581->559 582->581 583->579 588 a3676c 583->588 584->566 589 a36775-a367a4 584->589 585->586 591 a36902-a36905 586->591 592 a368ef-a368ff call a36fb0 586->592 588->589 589->577 591->569 594 a36907-a3691b call a370a0 591->594 592->591 598 a3691f-a3693f ShellExecuteW call a32e60 594->598 599 a3691d 594->599 598->569 602 a36941-a3694b call a36fb0 598->602 599->598 602->569
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00A3667E
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A366D7
                                        • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A366E2
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A366FE
                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00A749E5,000000FF), ref: 00A367DB
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A749E5,000000FF), ref: 00A367E7
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00A749E5), ref: 00A3682F
                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00A749E5,000000FF), ref: 00A3684A
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00A749E5), ref: 00A36867
                                        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00A749E5,000000FF), ref: 00A36891
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00A368D8
                                        • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00A3692A
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A749E5,000000FF), ref: 00A3695C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                        • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                        • API String ID: 2199533872-3004881174
                                        • Opcode ID: d02658c265aaa11a92e2842dcaf94beb87774caeb6e5f3ae9404a66f120f48e2
                                        • Instruction ID: 148c8ce9ae77e69a952c7854b4ba34c70efe37faac9dffcf3b4689700ec56b8b
                                        • Opcode Fuzzy Hash: d02658c265aaa11a92e2842dcaf94beb87774caeb6e5f3ae9404a66f120f48e2
                                        • Instruction Fuzzy Hash: 7DB13671904249AFEB20DF68CD86BEFBBB5EF45700F548129F904AB2C1D7709A49C7A1
                                        Function 00A52B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 605 a52b8c-a52bad InitializeCriticalSectionAndSpinCount GetModuleHandleW 606 a52bc0-a52bdc GetProcAddress * 2 605->606 607 a52baf-a52bbe GetModuleHandleW 605->607 609 a52bf0-a52c04 CreateEventW 606->609 610 a52bde-a52be0 606->610 607->606 608 a52c06-a52c20 call a533a8 DeleteCriticalSection 607->608 615 a52c22-a52c23 CloseHandle 608->615 616 a52c29 608->616 609->608 612 a52bed-a52bef 609->612 610->609 611 a52be2-a52be8 610->611 611->612 615->616
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00A8DD3C,00000FA0,?,?,00A52B6A), ref: 00A52B98
                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00A52B6A), ref: 00A52BA3
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00A52B6A), ref: 00A52BB4
                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A52BC6
                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A52BD4
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00A52B6A), ref: 00A52BF7
                                        • DeleteCriticalSection.KERNEL32(00A8DD3C,00000007,?,?,00A52B6A), ref: 00A52C13
                                        • CloseHandle.KERNEL32(00000000,?,?,00A52B6A), ref: 00A52C23
                                        Strings
                                        • WakeAllConditionVariable, xrefs: 00A52BCC
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A52B9E
                                        • kernel32.dll, xrefs: 00A52BAF
                                        • SleepConditionVariableCS, xrefs: 00A52BC0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 2565136772-3242537097
                                        • Opcode ID: de0cf06e2562efacd25244a37799cb325c2ce67fa4cbee4f859488f2971c2024
                                        • Instruction ID: 56097a3005fb3bf0975058cc65451261bf812dd79ee10c83ca63d6cc4a84f32c
                                        • Opcode Fuzzy Hash: de0cf06e2562efacd25244a37799cb325c2ce67fa4cbee4f859488f2971c2024
                                        • Instruction Fuzzy Hash: 1B017571A85311ABD6219FB5AC0DF5E3B68BF52752B01CC11BD08D22E0EA74C847CB61
                                        Function 00A55CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 617 a55caf-a55cda call a56c18 620 a55ce0-a55ce3 617->620 621 a56053-a56058 call a62a07 617->621 620->621 622 a55ce9-a55cf2 620->622 624 a55def-a55df5 622->624 625 a55cf8-a55cfc 622->625 628 a55dfd-a55e0b 624->628 625->624 627 a55d02-a55d09 625->627 631 a55d21-a55d26 627->631 632 a55d0b-a55d12 627->632 629 a55e11-a55e15 628->629 630 a55fbc-a55fbf 628->630 629->630 633 a55e1b-a55e22 629->633 635 a55fc1-a55fc4 630->635 636 a55fe2-a55feb call a5596a 630->636 631->624 637 a55d2c-a55d34 call a5596a 631->637 632->631 634 a55d14-a55d1b 632->634 639 a55e24-a55e2b 633->639 640 a55e3a-a55e40 633->640 634->624 634->631 635->621 642 a55fca-a55fdf call a56059 635->642 636->621 650 a55fed-a55ff1 636->650 637->650 651 a55d3a-a55d53 call a5596a * 2 637->651 639->640 645 a55e2d-a55e34 639->645 647 a55e46-a55e6d call a5395b 640->647 648 a55f58-a55f5c 640->648 642->636 645->630 645->640 647->648 662 a55e73-a55e76 647->662 653 a55f5e-a55f67 call a54754 648->653 654 a55f68-a55f74 648->654 651->621 675 a55d59-a55d5f 651->675 653->654 654->636 655 a55f76-a55f7a 654->655 659 a55f8c-a55f94 655->659 660 a55f7c-a55f84 655->660 665 a55f96-a55fa9 call a5596a * 2 659->665 666 a55fab-a55fb8 call a566be 659->666 660->636 664 a55f86-a55f8a 660->664 668 a55e79-a55e8e 662->668 664->636 664->659 691 a55ff2 call a63980 665->691 682 a56017-a5602c call a5596a * 2 666->682 683 a55fba 666->683 672 a55e94-a55e97 668->672 673 a55f39-a55f4c 668->673 672->673 678 a55e9d-a55ea5 672->678 673->668 676 a55f52-a55f55 673->676 680 a55d61-a55d65 675->680 681 a55d8b-a55d93 call a5596a 675->681 676->648 678->673 684 a55eab-a55ebf 678->684 680->681 686 a55d67-a55d6e 680->686 697 a55d95-a55db5 call a5596a * 2 call a566be 681->697 698 a55df7-a55dfa 681->698 712 a56031-a5604e call a53b4e call a565be call a5677b call a56535 682->712 713 a5602e 682->713 683->636 687 a55ec2-a55ed2 684->687 692 a55d70-a55d77 686->692 693 a55d82-a55d85 686->693 694 a55ed4-a55ee7 call a5618f 687->694 695 a55efa-a55f07 687->695 708 a55ff7-a56012 call a54754 call a5633a call a53e5a 691->708 692->693 702 a55d79-a55d80 692->702 693->621 693->681 709 a55ee9-a55eef 694->709 710 a55f0b-a55f33 call a55c2f 694->710 695->687 700 a55f09 695->700 697->698 730 a55db7-a55dbc 697->730 698->628 707 a55f36 700->707 702->681 702->693 707->673 708->682 709->694 715 a55ef1-a55ef7 709->715 710->707 712->621 713->712 715->695 730->691 732 a55dc2-a55dd5 call a56352 730->732 732->708 737 a55ddb-a55de7 732->737 737->691 738 a55ded 737->738 738->732
                                        APIs
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00A55DAC
                                        • type_info::operator==.LIBVCRUNTIME ref: 00A55DCE
                                        • ___TypeMatch.LIBVCRUNTIME ref: 00A55EDD
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00A55FAF
                                        • _UnwindNestedFrames.LIBCMT ref: 00A56033
                                        • CallUnexpected.LIBVCRUNTIME ref: 00A5604E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2123188842-393685449
                                        • Opcode ID: 4f705b28044c9db3a38ad06adb2fd6a969f573c566871f6bba4b2c060ba915aa
                                        • Instruction ID: 993f85e363a15f10e1f1660b2dfdcd6774ae09efee4f0d94fa8b35382b85bce3
                                        • Opcode Fuzzy Hash: 4f705b28044c9db3a38ad06adb2fd6a969f573c566871f6bba4b2c060ba915aa
                                        • Instruction Fuzzy Hash: 89B18A32C00609EFCF28DFA4D9A19AEBBB5FF14316F14805AEC156B212D730DA59CB91
                                        Function 00A34270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000400,00000000,?,9666CEAE,?,?,?), ref: 00A342D2
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,9666CEAE,?,?,?), ref: 00A342F3
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,9666CEAE,?,?,?), ref: 00A34326
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,9666CEAE,?,?,?), ref: 00A34337
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A34355
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A34371
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A34399
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A343B5
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A343D3
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A343EF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Process$OpenTimes
                                        • String ID:
                                        • API String ID: 1711917922-0
                                        • Opcode ID: 5e556d161698a254df51657e42962ca4242fea0104c0f1d46757f6a2819352e7
                                        • Instruction ID: fa52d11efb92aea2bbbb62547bfaab8a4fef414b1ace3e2240c11eed10895a3c
                                        • Opcode Fuzzy Hash: 5e556d161698a254df51657e42962ca4242fea0104c0f1d46757f6a2819352e7
                                        • Instruction Fuzzy Hash: 2A5159B0D05618EBDB10DF99DD84BAEBBB8FF49714F244219E514BB280C7746D058BA4
                                        Function 00A4BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4BBC4
                                          • Part of subcall function 00A4254E: __EH_prolog3.LIBCMT ref: 00A42555
                                          • Part of subcall function 00A4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00A4255F
                                          • Part of subcall function 00A4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00A425D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1538362411-2891247106
                                        • Opcode ID: ec18bb8a2467578dbefb9a508a9073f93746fe05ed282cf39087d7435fd3309c
                                        • Instruction ID: 7b935d0a82a85d0cee0cfa26e65aa245f0a44f53a0ec8ff6fc0aa840728979fe
                                        • Opcode Fuzzy Hash: ec18bb8a2467578dbefb9a508a9073f93746fe05ed282cf39087d7435fd3309c
                                        • Instruction Fuzzy Hash: 79B17F7A51010AABCF19DF68CE96DFE3BB9FB88304F144119FA0AA6251D731DA10DB60
                                        Function 00A50C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A50CA4
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392A0
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392C2
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A392EA
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A39422
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1383202999-2891247106
                                        • Opcode ID: 0aa845b5eb6a417bc0b284da711861f51ba468b27c706b1abbe6e14a1e86fc37
                                        • Instruction ID: efe274e294ea1d9c9a028c7170b427bfb3cdaf2b630bbbcd0509d0e57b3e385e
                                        • Opcode Fuzzy Hash: 0aa845b5eb6a417bc0b284da711861f51ba468b27c706b1abbe6e14a1e86fc37
                                        • Instruction Fuzzy Hash: F0B1AF7650010AAFCF29DF68CD5AEFE3BB9FB14302F144519FD06A6291D631DA18DB60
                                        Function 00A4BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4BF85
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38657
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38679
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A386A1
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3880E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1383202999-2891247106
                                        • Opcode ID: 9254d7e0d89af287156587198b98ea51503a4ae96b0ae59811ef5377d2aed400
                                        • Instruction ID: e3ea638496af760233c73cf1ef16b744abefdaec9be1594959e05f4c74db9f93
                                        • Opcode Fuzzy Hash: 9254d7e0d89af287156587198b98ea51503a4ae96b0ae59811ef5377d2aed400
                                        • Instruction Fuzzy Hash: BAB1E27A50110AEFCF59EFA8CD55DFE3BB9FB88360F008119F90AA7251D6719A10CB60
                                        Function 00A48555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4855C
                                        • _Maklocstr.LIBCPMT ref: 00A485C5
                                        • _Maklocstr.LIBCPMT ref: 00A485D7
                                        • _Maklocchr.LIBCPMT ref: 00A485EF
                                        • _Maklocchr.LIBCPMT ref: 00A485FF
                                        • _Getvals.LIBCPMT ref: 00A48621
                                          • Part of subcall function 00A41CD4: _Maklocchr.LIBCPMT ref: 00A41D03
                                          • Part of subcall function 00A41CD4: _Maklocchr.LIBCPMT ref: 00A41D19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                        • String ID: false$true
                                        • API String ID: 3549167292-2658103896
                                        • Opcode ID: 5255a4bfcfff401b61a613f41f203c152fa6fac6a4f3c76fcd550dd00de8f6e1
                                        • Instruction ID: 69a40c7815d0a04e5e0181774896f173b80bd30d09598a184fd145520fd43f8d
                                        • Opcode Fuzzy Hash: 5255a4bfcfff401b61a613f41f203c152fa6fac6a4f3c76fcd550dd00de8f6e1
                                        • Instruction Fuzzy Hash: A32192B6D00304ABDF14EFA4D986ADE7BB8AF45750F008116F9159F142DBB08644CBA1
                                        Function 00A39730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::locale::_Init.LIBCPMT ref: 00A39763
                                          • Part of subcall function 00A40C94: __EH_prolog3.LIBCMT ref: 00A40C9B
                                          • Part of subcall function 00A40C94: std::_Lockit::_Lockit.LIBCPMT ref: 00A40CA6
                                          • Part of subcall function 00A40C94: std::locale::_Setgloballocale.LIBCPMT ref: 00A40CC1
                                          • Part of subcall function 00A40C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00A40D17
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3978A
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A397F0
                                        • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00A3984A
                                          • Part of subcall function 00A3F57A: __EH_prolog3.LIBCMT ref: 00A3F581
                                        • LocalFree.KERNEL32(00000000,00000000,?,00A854B1,00000000), ref: 00A399BF
                                        • __cftoe.LIBCMT ref: 00A39B0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$FreeInitLocalLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
                                        • String ID: bad locale name
                                        • API String ID: 3578231455-1405518554
                                        • Opcode ID: ebc83e49cb17cdcbfd77aa990750e9df21470ef37ea4aec97012cc57f97064ef
                                        • Instruction ID: f5b653b09e824b02b56f6f5634ee3d95efb9e4ade5c8f9e51c8916071c30e915
                                        • Opcode Fuzzy Hash: ebc83e49cb17cdcbfd77aa990750e9df21470ef37ea4aec97012cc57f97064ef
                                        • Instruction Fuzzy Hash: BBF1AB71D01249DFDF10CFA8D985BAEBBB5FF49304F244169E805AB381E7B59A04CBA1
                                        Function 00A33C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A336D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A33735
                                          • Part of subcall function 00A336D0: _wcschr.LIBVCRUNTIME ref: 00A337C6
                                        • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00A33CA8
                                        • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00A33D01
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00A33D7A
                                        • ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00A33EB1
                                        • GetLastError.KERNEL32 ref: 00A33F34
                                        • FreeLibrary.KERNEL32(?), ref: 00A33F7B
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00A33CA2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 566592816-2781105232
                                        • Opcode ID: b52a4831b8214c0a6a79fbb6f02093ccfa0aad35e14078b11f6a3b0ba2ca270c
                                        • Instruction ID: 94ac1f7d737c5e09460b91fa12c40533c45206bc2e375c974a9300db76e98bde
                                        • Opcode Fuzzy Hash: b52a4831b8214c0a6a79fbb6f02093ccfa0aad35e14078b11f6a3b0ba2ca270c
                                        • Instruction Fuzzy Hash: 1DA15A71904749DEDB20DF64CD49BAEBBF0BF48704F204599E449A7280E7B5AA88CF91
                                        Function 00A340B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,40000022,9666CEAE,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00A34154
                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,9666CEAE,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00A34177
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A34217
                                        • OpenProcess.KERNEL32(00000400,00000000,?,9666CEAE,?,?,?), ref: 00A342D2
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,9666CEAE,?,?,?), ref: 00A342F3
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,9666CEAE,?,?,?), ref: 00A34326
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,9666CEAE,?,?,?), ref: 00A34337
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A34355
                                        • CloseHandle.KERNEL32(00000000,?,9666CEAE,?,?,?), ref: 00A34371
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Process$Local$AllocCloseHandleOpenTimes$Free
                                        • String ID:
                                        • API String ID: 1424318461-0
                                        • Opcode ID: b6e2546dc91cd75f50b23ea4c92638e1a31f128aade609a4f170392fdee78a18
                                        • Instruction ID: 24d5f65e131c4a5c42430045517531b749ec685ff96876bf8dcf92095d37ec9e
                                        • Opcode Fuzzy Hash: b6e2546dc91cd75f50b23ea4c92638e1a31f128aade609a4f170392fdee78a18
                                        • Instruction Fuzzy Hash: E1819D71A006059FDB14CFA8DD85BAEBBB5FB4C310F248229F925B7390D770A9418B90
                                        Function 00A5266D Relevance: 12.2, APIs: 8, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?), ref: 00A526F8
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A52786
                                        • __alloca_probe_16.LIBCMT ref: 00A527B0
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A527F8
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A52812
                                        • __alloca_probe_16.LIBCMT ref: 00A52838
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A52875
                                        • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00A52892
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                        • String ID:
                                        • API String ID: 3603178046-0
                                        • Opcode ID: 09e5f9fdc8d017b4b3367291833f61b5964f3754e05c97c6e55df9458b361373
                                        • Instruction ID: d1d87cb080f2422c8e3e69bf137ca98ea01a1e461adec0c5d9d84efee480caea
                                        • Opcode Fuzzy Hash: 09e5f9fdc8d017b4b3367291833f61b5964f3754e05c97c6e55df9458b361373
                                        • Instruction Fuzzy Hash: EE71A07290020AABDF21CFA4CD81BEE7BB6FF5A352F280119ED04A7251D731C849CB60
                                        Function 00A5215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00A521A3
                                        • __alloca_probe_16.LIBCMT ref: 00A521CF
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00A5220E
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A5222B
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A5226A
                                        • __alloca_probe_16.LIBCMT ref: 00A52287
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A522C9
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A522EC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                        • String ID:
                                        • API String ID: 2040435927-0
                                        • Opcode ID: bca9a5df1dc349530fc8f49ff7d50623ac04060749265b8eaa72d0908f47af23
                                        • Instruction ID: 5915e00de0c67ad81364abfb7c1d1442f343ff8d7f3ca78751e46cfd640bd6d6
                                        • Opcode Fuzzy Hash: bca9a5df1dc349530fc8f49ff7d50623ac04060749265b8eaa72d0908f47af23
                                        • Instruction Fuzzy Hash: 7C51917250020AABDB208FA4CC45FEF7BB9FF46752F154528FE15AA150D7348D19DB60
                                        Function 00A38610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A38657
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A38679
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A386A1
                                        • LocalAlloc.KERNEL32(00000040,00000044,00000000,9666CEAE,?,00000000), ref: 00A386F9
                                        • __Getctype.LIBCPMT ref: 00A3877B
                                        • std::_Facet_Register.LIBCPMT ref: 00A387E4
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3880E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                        • String ID:
                                        • API String ID: 2372200979-0
                                        • Opcode ID: 8fb5bc2c8b66bab85006120584c2ebcb228bcbabaeb55e9237ef2dacc30b8b31
                                        • Instruction ID: 5e3d4d9e784af0448adf1da909a5a444b50b0ef43af8ddce5ca5fdb11adbbe42
                                        • Opcode Fuzzy Hash: 8fb5bc2c8b66bab85006120584c2ebcb228bcbabaeb55e9237ef2dacc30b8b31
                                        • Instruction Fuzzy Hash: CB61BFB1D00744DFDB11CF68CA41B9ABBF4FF14314F248259E845AB391EB78AA45CB91
                                        Function 00A39270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A392A0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A392C2
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A392EA
                                        • LocalAlloc.KERNEL32(00000040,00000018,00000000,9666CEAE,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00A39342
                                        • __Getctype.LIBCPMT ref: 00A393BD
                                        • std::_Facet_Register.LIBCPMT ref: 00A393F8
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A39422
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                        • String ID:
                                        • API String ID: 2372200979-0
                                        • Opcode ID: e574cf740e25bca4f913d41edbd5fab01d54480fa758bd2536bf57d0633402a3
                                        • Instruction ID: 7c1773e5be44c54d46ef3726a00d03c9c7f7a66a22d1a1d33a558627f08b1ab5
                                        • Opcode Fuzzy Hash: e574cf740e25bca4f913d41edbd5fab01d54480fa758bd2536bf57d0633402a3
                                        • Instruction Fuzzy Hash: 1851AAB1904609DFCB11CFA8C944BAFBBF4EF14714F20815DE846AB291E7B4AA45CB90
                                        Function 00A53F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00A53F57
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00A53F5F
                                        • _ValidateLocalCookies.LIBCMT ref: 00A53FE8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00A54013
                                        • _ValidateLocalCookies.LIBCMT ref: 00A54068
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 6ce7671ff6ceae596af984ec7baf593ab2a5cda573f535469a36052502fb3d7a
                                        • Instruction ID: a2a111e93aefab22f8929cb5cf08fb7f48d9bfb3d46e9fd916f40e9028f883bf
                                        • Opcode Fuzzy Hash: 6ce7671ff6ceae596af984ec7baf593ab2a5cda573f535469a36052502fb3d7a
                                        • Instruction Fuzzy Hash: 4A41C235E00208ABCF10DF68C885A9EBBB5BF84369F148455ED189F392D7319E5DCB90
                                        Function 00A672FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,00A67408,00A63841,0000000C,?,00000000,00000000,?,00A67632,00000021,FlsSetValue,00A7BD58,00A7BD60,?), ref: 00A673BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 3664257935-537541572
                                        • Opcode ID: 0ba0e0b8366668ef523498905893196259b2e093d267b735fdb5933788b9ab05
                                        • Instruction ID: 2bebb2206db01d3b9d035e3d893e3bfd58453474f0b6d593b6fd9fe741858419
                                        • Opcode Fuzzy Hash: 0ba0e0b8366668ef523498905893196259b2e093d267b735fdb5933788b9ab05
                                        • Instruction Fuzzy Hash: E721E475B19211EBCB21DBA4AC41E6E3778EF41764F244620FD19AB390E730ED01E6E0
                                        Function 00A48969 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A48970
                                        • ctype.LIBCPMT ref: 00A489B7
                                          • Part of subcall function 00A4851C: __Getctype.LIBCPMT ref: 00A4852B
                                          • Part of subcall function 00A4270D: __EH_prolog3.LIBCMT ref: 00A42714
                                          • Part of subcall function 00A4270D: std::_Lockit::_Lockit.LIBCPMT ref: 00A4271E
                                          • Part of subcall function 00A4270D: std::_Lockit::~_Lockit.LIBCPMT ref: 00A4278F
                                          • Part of subcall function 00A3F3D9: __EH_prolog3.LIBCMT ref: 00A3F3E0
                                          • Part of subcall function 00A3F3D9: std::_Lockit::_Lockit.LIBCPMT ref: 00A3F3EA
                                          • Part of subcall function 00A3F3D9: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3F48E
                                          • Part of subcall function 00A42837: __EH_prolog3.LIBCMT ref: 00A4283E
                                          • Part of subcall function 00A42837: std::_Lockit::_Lockit.LIBCPMT ref: 00A42848
                                          • Part of subcall function 00A42837: std::_Lockit::~_Lockit.LIBCPMT ref: 00A428B9
                                          • Part of subcall function 00A3F3D9: Concurrency::cancel_current_task.LIBCPMT ref: 00A3F499
                                          • Part of subcall function 00A429F6: __EH_prolog3.LIBCMT ref: 00A429FD
                                          • Part of subcall function 00A429F6: std::_Lockit::_Lockit.LIBCPMT ref: 00A42A07
                                          • Part of subcall function 00A429F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00A42A78
                                          • Part of subcall function 00A42961: __EH_prolog3.LIBCMT ref: 00A42968
                                          • Part of subcall function 00A42961: std::_Lockit::_Lockit.LIBCPMT ref: 00A42972
                                          • Part of subcall function 00A42961: std::_Lockit::~_Lockit.LIBCPMT ref: 00A429E3
                                        • collate.LIBCPMT ref: 00A48B05
                                        • numpunct.LIBCPMT ref: 00A48DAF
                                        • __Getcoll.LIBCPMT ref: 00A48B47
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                          • Part of subcall function 00A36330: LocalAlloc.KERNEL32(00000040,?,00A40E04,00000020,?,?,00A39942,00000000,9666CEAE,?,?,?,?,00A750DD,000000FF), ref: 00A36336
                                        • codecvt.LIBCPMT ref: 00A48E6D
                                          • Part of subcall function 00A42E09: __EH_prolog3.LIBCMT ref: 00A42E10
                                          • Part of subcall function 00A42E09: std::_Lockit::_Lockit.LIBCPMT ref: 00A42E1A
                                          • Part of subcall function 00A42E09: std::_Lockit::~_Lockit.LIBCPMT ref: 00A42E8B
                                          • Part of subcall function 00A42F33: __EH_prolog3.LIBCMT ref: 00A42F3A
                                          • Part of subcall function 00A42F33: std::_Lockit::_Lockit.LIBCPMT ref: 00A42F44
                                          • Part of subcall function 00A42F33: std::_Lockit::~_Lockit.LIBCPMT ref: 00A42FB5
                                          • Part of subcall function 00A422FA: __EH_prolog3.LIBCMT ref: 00A42301
                                          • Part of subcall function 00A422FA: std::_Lockit::_Lockit.LIBCPMT ref: 00A4230B
                                          • Part of subcall function 00A422FA: std::_Lockit::~_Lockit.LIBCPMT ref: 00A4237C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                        • String ID:
                                        • API String ID: 3494022857-0
                                        • Opcode ID: 4929aa9e37b811ba2d259eab7725d5ee06047808061ffe71cdb5b34f0ab911c0
                                        • Instruction ID: 654815c335334c5e701120193a64a6c9599c16e16c98a205790b14e961989d1f
                                        • Opcode Fuzzy Hash: 4929aa9e37b811ba2d259eab7725d5ee06047808061ffe71cdb5b34f0ab911c0
                                        • Instruction Fuzzy Hash: 74E1C474C02215AFEB107F709E46A7F7AA5EF81760F14842DF859AB281DF798D0097E2
                                        Function 00A3B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B531
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B54F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B577
                                        • LocalAlloc.KERNEL32(00000040,0000000C,00000000,9666CEAE,?,00000000,00000000), ref: 00A3B5CF
                                        • std::_Facet_Register.LIBCPMT ref: 00A3B6B7
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B6E1
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                        • String ID:
                                        • API String ID: 3931714976-0
                                        • Opcode ID: be537352430473d22896d39b45c398ade99098780ea89d2574aee733752bd89c
                                        • Instruction ID: 787a43e0df4011a31737fbc9daffb15fa8485dffb4bc748b4a7c6495906a1924
                                        • Opcode Fuzzy Hash: be537352430473d22896d39b45c398ade99098780ea89d2574aee733752bd89c
                                        • Instruction Fuzzy Hash: 3F51E371900308DFDB11CFA8C981BAEBBB5FF50314F24816DE916AB392D7B59A05CB91
                                        Function 00A3B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B731
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B74F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B777
                                        • LocalAlloc.KERNEL32(00000040,00000008,00000000,9666CEAE,?,00000000,00000000), ref: 00A3B7CF
                                        • std::_Facet_Register.LIBCPMT ref: 00A3B863
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B88D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                        • String ID:
                                        • API String ID: 3931714976-0
                                        • Opcode ID: 9ee3f7748105e8de8a9681da0b11d684f8c5a86327320b0722f759a35aa481e6
                                        • Instruction ID: 93972f5c5b625f2b905e7ca46cd661452e0709a7561ae49719cbfddca8369bec
                                        • Opcode Fuzzy Hash: 9ee3f7748105e8de8a9681da0b11d684f8c5a86327320b0722f759a35aa481e6
                                        • Instruction Fuzzy Hash: 6A51CD74901214DFCB21CFA8C980BAEBBB5FF54710F24866DE905AB381D7B0AE01CB90
                                        Function 00A60351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID: a/p$am/pm
                                        • API String ID: 3509577899-3206640213
                                        • Opcode ID: 28cdaf971a4fe3333244f88e906ba8982d9e03fc148bc461ca1eff7dd470ae00
                                        • Instruction ID: 19000dfadf1a65dca589848c93f359a3fb4e153cdf3a678b3e614f47a689d6f9
                                        • Opcode Fuzzy Hash: 28cdaf971a4fe3333244f88e906ba8982d9e03fc148bc461ca1eff7dd470ae00
                                        • Instruction Fuzzy Hash: 5BC1DE79900606DBDB248F68C989EBFB7B0FF55700F248049E906AB690D775ADC1CFA1
                                        Function 00A55978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00A5596F,00A54900,00A5358F), ref: 00A55986
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A55994
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A559AD
                                        • SetLastError.KERNEL32(00000000,00A5596F,00A54900,00A5358F), ref: 00A559FF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 4e092cd80504a5b307e97d1f29c5f0a62450f022c5021cb179bb7337a5b2d7d2
                                        • Instruction ID: 0b433222f1f113770c614591a089558713f689698e4d165dfa3a27488be28d47
                                        • Opcode Fuzzy Hash: 4e092cd80504a5b307e97d1f29c5f0a62450f022c5021cb179bb7337a5b2d7d2
                                        • Instruction Fuzzy Hash: 1D01B132609A12EFE62567F47D96A6A2B74FB017BB7300329FC14961E0EE354C4A9690
                                        Function 00A33230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempFileNameW.KERNEL32(?,URL,00000000,?,9666CEAE,?,00000004), ref: 00A33294
                                        • MoveFileW.KERNEL32(?,00000000), ref: 00A3354A
                                        • DeleteFileW.KERNEL32(?), ref: 00A33592
                                          • Part of subcall function 00A31A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00A31AF7
                                          • Part of subcall function 00A31A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00A31B7D
                                          • Part of subcall function 00A32E60: LocalFree.KERNEL32(?,9666CEAE,?,?,00A73C40,000000FF,?,00A31242,9666CEAE,?,?,00A73C75,000000FF), ref: 00A32EB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: FileLocal$Free$AllocDeleteMoveNameTemp
                                        • String ID: URL$url
                                        • API String ID: 853893950-346267919
                                        • Opcode ID: f01e46bcffd6bdb2c801e0076d3aca56564b6c31c2e41bf46482b06136c04d8f
                                        • Instruction ID: 21a852f32e46b4bda7f8b196eae486fe2c1324e85916c421edca4a642c56e459
                                        • Opcode Fuzzy Hash: f01e46bcffd6bdb2c801e0076d3aca56564b6c31c2e41bf46482b06136c04d8f
                                        • Instruction Fuzzy Hash: 05C17770D182689ADF24DF64CD99BDDBBB4BF14304F1042D9E409A7291EBB46B88CF91
                                        Function 00A336D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A33735
                                        • GetLastError.KERNEL32(?,?,?,00A74215,000000FF), ref: 00A3381A
                                          • Part of subcall function 00A32310: GetProcessHeap.KERNEL32 ref: 00A32365
                                          • Part of subcall function 00A346F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00A33778,-00000010,?,?,?,00A74215,000000FF), ref: 00A34736
                                        • _wcschr.LIBVCRUNTIME ref: 00A337C6
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00A74215,000000FF), ref: 00A337DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                        • String ID: ntdll.dll
                                        • API String ID: 3941625479-2227199552
                                        • Opcode ID: fe2ab736a886367436acbfdcbf9bf92a06099ae7a623945b9c7a5511173e3309
                                        • Instruction ID: da9849b490161d895d5e9255a7c56d2eca6ff35b13a5d8d416639214f9ff6443
                                        • Opcode Fuzzy Hash: fe2ab736a886367436acbfdcbf9bf92a06099ae7a623945b9c7a5511173e3309
                                        • Instruction Fuzzy Hash: 3F418372A04605AFDB10DFA8DD55BAEB7B4FF14310F14862DF916D7281EBB0AA04CB91
                                        Function 00A3621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00A31A20: LocalFree.KERNEL32(?), ref: 00A31A42
                                          • Part of subcall function 00A53E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00A31434,?,?,00A3D341,00A31434,00A88B5C,?,00A31434,?,00000000), ref: 00A53EBA
                                        • GetCurrentProcess.KERNEL32(9666CEAE,9666CEAE,?,?,00000000,00A74981,000000FF), ref: 00A362EB
                                          • Part of subcall function 00A52C98: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CA3
                                          • Part of subcall function 00A52C98: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CE0
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00A362B0
                                        • GetProcAddress.KERNEL32(00000000), ref: 00A362B7
                                          • Part of subcall function 00A52C4E: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C58
                                          • Part of subcall function 00A52C4E: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C8B
                                          • Part of subcall function 00A52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00A52D02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
                                        • String ID: IsWow64Process$kernel32
                                        • API String ID: 1333104975-3789238822
                                        • Opcode ID: 15177331c45396afbe41ba140fa56d9975b908807d0c2902495d5e4333acc9c3
                                        • Instruction ID: ceb3c8c0e7e49fb9501f403d84437a9bd608cd9bdd2d31dd25593a21893dbc5d
                                        • Opcode Fuzzy Hash: 15177331c45396afbe41ba140fa56d9975b908807d0c2902495d5e4333acc9c3
                                        • Instruction Fuzzy Hash: 9321CDB1D44305EFCB10EFE4DE06B9EB7A8FB18B11F104625F915A32D0EB7469018B61
                                        Function 00A48451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Mpunct$GetvalsH_prolog3
                                        • String ID: $+xv
                                        • API String ID: 2204710431-1686923651
                                        • Opcode ID: 3ed8a1bd8084cdec5320bec99b16f8269b2fe698e80de743a3fd84da933f7855
                                        • Instruction ID: eccadada3fdbab1fa836422aa8098df098f5267d12cbf2e53c70e0d0584cf517
                                        • Opcode Fuzzy Hash: 3ed8a1bd8084cdec5320bec99b16f8269b2fe698e80de743a3fd84da933f7855
                                        • Instruction Fuzzy Hash: A421C1B5804B926EDB25DF74D89077FBEF8AB48301F044A5AE459C7A42D734E601CBA0
                                        Function 00A36250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(9666CEAE,9666CEAE,?,?,00000000,00A74981,000000FF), ref: 00A362EB
                                          • Part of subcall function 00A52C98: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CA3
                                          • Part of subcall function 00A52C98: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52CE0
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00A362B0
                                        • GetProcAddress.KERNEL32(00000000), ref: 00A362B7
                                          • Part of subcall function 00A52C4E: EnterCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C58
                                          • Part of subcall function 00A52C4E: LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C8B
                                          • Part of subcall function 00A52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00A52D02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                        • String ID: IsWow64Process$kernel32
                                        • API String ID: 2056477612-3789238822
                                        • Opcode ID: 7a57e0c9b1267ded8c3f86140f567f5da08c86d17a3f3899d8ffe4336dde8852
                                        • Instruction ID: 832bdf70ec824fe0e1323dd138819264d676716752b7aaf05774048278b3dccd
                                        • Opcode Fuzzy Hash: 7a57e0c9b1267ded8c3f86140f567f5da08c86d17a3f3899d8ffe4336dde8852
                                        • Instruction Fuzzy Hash: F611ACB2D48714EFCB10DFA4DD05B9AB7A8FB19B20F00466AEC25936D0EB756901CB91
                                        Function 00A569E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00A56AA3,?,?,00A8DDCC,00000000,?,00A56BCE,00000004,InitializeCriticalSectionEx,00A797E8,InitializeCriticalSectionEx,00000000), ref: 00A56A72
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 38607b01fdef8296c73b5a4d07a33c19357f8d70992b3e8e748b704887808a83
                                        • Instruction ID: b9f6e0e2d8c6669484b4f1a20217b2c04c273674a200ede9ebd7618cad218820
                                        • Opcode Fuzzy Hash: 38607b01fdef8296c73b5a4d07a33c19357f8d70992b3e8e748b704887808a83
                                        • Instruction Fuzzy Hash: 7511A331A44225ABCF22CBA89C41B5E33B4BF117B2F548260FE19FB280D670ED0586D5
                                        Function 00A62DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9666CEAE,?,?,00000000,00A76A6C,000000FF,?,00A62DC1,?,?,00A62D95,?), ref: 00A62E23
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A62E35
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00A76A6C,000000FF,?,00A62DC1,?,?,00A62D95,?), ref: 00A62E57
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 58607f682d1ec9bc45f8dc8f45da43b964c3755145b8d43c74cab499c0bd6656
                                        • Instruction ID: e35dc10f5d50eeea46ed7d5a241c271e84eed9ad513f71b1c9d7b92ab3824d45
                                        • Opcode Fuzzy Hash: 58607f682d1ec9bc45f8dc8f45da43b964c3755145b8d43c74cab499c0bd6656
                                        • Instruction Fuzzy Hash: 3E01AD32948A19BFCB12CF80CC05FAEBBB8FB04B10F008625F815A22E0DB759901CB90
                                        Function 00A66DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • __alloca_probe_16.LIBCMT ref: 00A66E40
                                        • __alloca_probe_16.LIBCMT ref: 00A66F01
                                        • __freea.LIBCMT ref: 00A66F68
                                          • Part of subcall function 00A65BDC: RtlAllocateHeap.NTDLL(00000000,00000000,00A63841,?,00A6543A,?,00000000,?,00A56CE7,00000000,00A63841,00000000,?,?,?,00A6363B), ref: 00A65C0E
                                        • __freea.LIBCMT ref: 00A66F7D
                                        • __freea.LIBCMT ref: 00A66F8D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 1423051803-0
                                        • Opcode ID: 99f7442a45aa2191dbbeb07e6d8506dc46031813f3538f84c224765b3d17b471
                                        • Instruction ID: ad170eee0a964ba28d93d85435b7463417932716c9acb3de86fd4fbc31933dbc
                                        • Opcode Fuzzy Hash: 99f7442a45aa2191dbbeb07e6d8506dc46031813f3538f84c224765b3d17b471
                                        • Instruction Fuzzy Hash: 1C518F72600206AFEB219FA5ED81EBF7AB9EF44754F150129FD08DB251EB32DC108B60
                                        Function 00A3B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B8DD
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3B900
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B928
                                        • std::_Facet_Register.LIBCPMT ref: 00A3B98D
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B9B7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                        • String ID:
                                        • API String ID: 459529453-0
                                        • Opcode ID: acaec6593b970aa644e5cfc94f86721851f89807ccecf8e5288ab48becf6714e
                                        • Instruction ID: 410ac183c4883c1b7c8da0c5ef167de822411241e93fe051315bc2c22fbf48b8
                                        • Opcode Fuzzy Hash: acaec6593b970aa644e5cfc94f86721851f89807ccecf8e5288ab48becf6714e
                                        • Instruction Fuzzy Hash: 9331E435900218DFCB11DF94DA81BAEBBB5EF24724F144169FA546B3A1D731AE02CBA1
                                        Function 00A35890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,?,75EF4450,00A35646,?,?,?,?,?), ref: 00A35898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                        • API String ID: 1452528299-1782174991
                                        • Opcode ID: 8b6732ceb4e1f0fc9978b5a2544381726a959d89fb84e46ce8959eb70a95f2d1
                                        • Instruction ID: fc44bba1c76e9ed7bd95205b09c51838102d2659c3f64c096df8bfbe58f6cb61
                                        • Opcode Fuzzy Hash: 8b6732ceb4e1f0fc9978b5a2544381726a959d89fb84e46ce8959eb70a95f2d1
                                        • Instruction Fuzzy Hash: EE118E56E1062587CB302F7CD80036AA2E4DF50764F65047FEC89DB391FAA98C818394
                                        Function 00A41C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Maklocstr$Maklocchr
                                        • String ID:
                                        • API String ID: 2020259771-0
                                        • Opcode ID: 8accf105bee51f69b336f77d01c510bc4ed9c1798bafe105e544ce4d00e5597b
                                        • Instruction ID: 063c23b65caa354272d0ebe626b7abe864663ff72149e9a498c8bb4952852d0f
                                        • Opcode Fuzzy Hash: 8accf105bee51f69b336f77d01c510bc4ed9c1798bafe105e544ce4d00e5597b
                                        • Instruction Fuzzy Hash: 241191B5940784BFE720DBA4CD82F22B7ECAF84350F044519F655CBA41D2A4FC9087A9
                                        Function 00A3D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A3D883
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3D88D
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • numpunct.LIBCPMT ref: 00A3D8C7
                                        • std::_Facet_Register.LIBCPMT ref: 00A3D8DE
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D8FE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                        • String ID:
                                        • API String ID: 743221004-0
                                        • Opcode ID: 9fcdc78a29ae3e64f71849122911a4694f917f2983cc2e26c60b34df4c29a7ab
                                        • Instruction ID: 8138eeb96f968ecf6827e9694092cd08af503de2e0adfdd248d6fe3b3f624b5f
                                        • Opcode Fuzzy Hash: 9fcdc78a29ae3e64f71849122911a4694f917f2983cc2e26c60b34df4c29a7ab
                                        • Instruction Fuzzy Hash: D7110436900615DFCF05FBA4E941ABE7774BF94710F244419F811AB2D1CF74AE058B90
                                        Function 00A4238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42396
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A423A0
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • codecvt.LIBCPMT ref: 00A423DA
                                        • std::_Facet_Register.LIBCPMT ref: 00A423F1
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42411
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                        • String ID:
                                        • API String ID: 712880209-0
                                        • Opcode ID: c561a11145284f08bb5b5ade3716779e4d7df50d909107226eb64c14b085c1d5
                                        • Instruction ID: e798e5104d8f1420ed23fce152297f866ad6777e50f254ce6062aa1e286ea00d
                                        • Opcode Fuzzy Hash: c561a11145284f08bb5b5ade3716779e4d7df50d909107226eb64c14b085c1d5
                                        • Instruction Fuzzy Hash: 6D01D23A900119DFCB04EBA4DA41ABE77B1BFC0710F244819F4106B2D2CF789E05CB90
                                        Function 00A424B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A424C0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A424CA
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • collate.LIBCPMT ref: 00A42504
                                        • std::_Facet_Register.LIBCPMT ref: 00A4251B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4253B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: 66be0376c71e96ca573a60e45c4a0f53d3d843f10f9f0e81d299fde68fa19cce
                                        • Instruction ID: 6ef797effbd9c6f79d4722a8ff3d0bc5003d6b8963c878e5d76f08a9b09535db
                                        • Opcode Fuzzy Hash: 66be0376c71e96ca573a60e45c4a0f53d3d843f10f9f0e81d299fde68fa19cce
                                        • Instruction Fuzzy Hash: 0001DE3A900619DBCB19EBA4EA45AAE77B0BFD4720F254409F410AB2D1CF789E058B91
                                        Function 00A42424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4242B
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42435
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • collate.LIBCPMT ref: 00A4246F
                                        • std::_Facet_Register.LIBCPMT ref: 00A42486
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A424A6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: b362bc424b3830d0dfacb13b6399752c93fd0c724bbf5f13d465714ff908c970
                                        • Instruction ID: 5b5b56155df7c366f68812917c5304258e0d9d8367de6c6002bafcfd9883bbcd
                                        • Opcode Fuzzy Hash: b362bc424b3830d0dfacb13b6399752c93fd0c724bbf5f13d465714ff908c970
                                        • Instruction Fuzzy Hash: 2501C03A900215DFCF04EBA0EA41AAEBB60BFC4720F254409F5106B2D2DFB89E45CB90
                                        Function 00A425E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A425EA
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A425F4
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • messages.LIBCPMT ref: 00A4262E
                                        • std::_Facet_Register.LIBCPMT ref: 00A42645
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42665
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: 94e614eb9441a0cc0e4fa091856e53b9a4c6a1e1b8668613356a920a6e54c23c
                                        • Instruction ID: 01e2a54f3018a2898e4ae2c171e24a1be5bab0f0c1c6b6516c057b08a864d62c
                                        • Opcode Fuzzy Hash: 94e614eb9441a0cc0e4fa091856e53b9a4c6a1e1b8668613356a920a6e54c23c
                                        • Instruction Fuzzy Hash: D001CC3A900219DBCB05EBA0AA51AAEB7A1FFD0710F254409F810AB2D2CF749E01CB90
                                        Function 00A4254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42555
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4255F
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • ctype.LIBCPMT ref: 00A42599
                                        • std::_Facet_Register.LIBCPMT ref: 00A425B0
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A425D0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                        • String ID:
                                        • API String ID: 83828444-0
                                        • Opcode ID: 424cdba222c648c93d524d76258a226e1553829353799c905053e147e575dd28
                                        • Instruction ID: 11389dd5366f195852dcc8503ae23fd5a94c8d5da5d9851897bcbb8788b97d19
                                        • Opcode Fuzzy Hash: 424cdba222c648c93d524d76258a226e1553829353799c905053e147e575dd28
                                        • Instruction Fuzzy Hash: 8201D23A901219DBCF04EBA0D951AAE7770BFD4720F654809F410AB2D2DF789E45CB91
                                        Function 00A42678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4267F
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42689
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • messages.LIBCPMT ref: 00A426C3
                                        • std::_Facet_Register.LIBCPMT ref: 00A426DA
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A426FA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: c8303a0542018a257a99d70e0f741780b7e1b2095fe56d3eb3195de42907bffa
                                        • Instruction ID: ca51a567ed6c44d76e9fb86202cf761c536c3ab5bb2e4a1251720d4caf573bc3
                                        • Opcode Fuzzy Hash: c8303a0542018a257a99d70e0f741780b7e1b2095fe56d3eb3195de42907bffa
                                        • Instruction Fuzzy Hash: EE01C03A900615DFCF05EBA4D941BAEB770BFD4710F254849F5106B2D1CF749E058B90
                                        Function 00A4E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4E8DF
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4E8E9
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • messages.LIBCPMT ref: 00A4E923
                                        • std::_Facet_Register.LIBCPMT ref: 00A4E93A
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4E95A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: d1a2f3d27ba7949fc112e4f228355c71ada9d7c61136eed3d27cf79a62e36bf5
                                        • Instruction ID: 7d7b5a667dcb56248f2c154e82adab3715b390570eb50ac324e00dddb3f5c534
                                        • Opcode Fuzzy Hash: d1a2f3d27ba7949fc112e4f228355c71ada9d7c61136eed3d27cf79a62e36bf5
                                        • Instruction Fuzzy Hash: B701C03A900215DFCF04EBA09941ABEB7A0BFC0710F250849F514AB2D2CF749E018791
                                        Function 00A4E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4E84A
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4E854
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • collate.LIBCPMT ref: 00A4E88E
                                        • std::_Facet_Register.LIBCPMT ref: 00A4E8A5
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4E8C5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: 433914229ba24f717913903ce805f3088a25d31741d4788a2537a685b7f88d1f
                                        • Instruction ID: 45bb68766e96305775ba442f9f8b5d18403d067f1ab2d6f1ea95a0aaefef57b5
                                        • Opcode Fuzzy Hash: 433914229ba24f717913903ce805f3088a25d31741d4788a2537a685b7f88d1f
                                        • Instruction Fuzzy Hash: E901923A900519DFCF05FBA4D941AAE77B1BFD4710F244409F914AB2D1CF749E058B91
                                        Function 00A429F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A429FD
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42A07
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A42A41
                                        • std::_Facet_Register.LIBCPMT ref: 00A42A58
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42A78
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: bb633bb17eceda9a00cdf3924da7f0670237a8c01d08d222e25eb1e5fb3789ea
                                        • Instruction ID: 54fdd13eb608bfd17b73a2b1e18058ec6b5438e6f44019cd68b51e6eae09fdd9
                                        • Opcode Fuzzy Hash: bb633bb17eceda9a00cdf3924da7f0670237a8c01d08d222e25eb1e5fb3789ea
                                        • Instruction Fuzzy Hash: 9801D23A900215DFCB15EBA4D941BBE77B1BFD4760F254419F9106B2D2CF749E018790
                                        Function 00A42961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42968
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42972
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A429AC
                                        • std::_Facet_Register.LIBCPMT ref: 00A429C3
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A429E3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 61a90eb62d55171a9e9c7efc854d451f2d35e97e4096b8b7afdd9a92c4fb12f8
                                        • Instruction ID: ba89785a4c1df91a72d4d2968a3e10235e6433bac973a2578b5ccd4ef215410a
                                        • Opcode Fuzzy Hash: 61a90eb62d55171a9e9c7efc854d451f2d35e97e4096b8b7afdd9a92c4fb12f8
                                        • Instruction Fuzzy Hash: EB01DE3A900619DFCB14EBA4DA42AAE77B0BFC4710F254909F910AB2D2CF749E018B91
                                        Function 00A42A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42A92
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42A9C
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A42AD6
                                        • std::_Facet_Register.LIBCPMT ref: 00A42AED
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42B0D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 2d8e9af4184ed99495fbe2d2298e79daa8aaa4c9b59c6d7b8a8bd25300044837
                                        • Instruction ID: ebbbec10df9d8026e4be30534163fde04404dbce7c6858ddbf7691a36d1f33c6
                                        • Opcode Fuzzy Hash: 2d8e9af4184ed99495fbe2d2298e79daa8aaa4c9b59c6d7b8a8bd25300044837
                                        • Instruction Fuzzy Hash: 6501C439900615DFCB15EBA49941BAE77A1BFD4710F244809F904A72D2CF749E01CB91
                                        Function 00A4EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4EA9E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4EAA8
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A4EAE2
                                        • std::_Facet_Register.LIBCPMT ref: 00A4EAF9
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4EB19
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 70109ecfe3f0125e5b40b0776acd93ce8dbfa4e90de58175124c5cda9213f489
                                        • Instruction ID: 1fde9e7f053e432efedb61591bb3fd21a613f0ee2700ee62985f5fcf8f9bb28f
                                        • Opcode Fuzzy Hash: 70109ecfe3f0125e5b40b0776acd93ce8dbfa4e90de58175124c5cda9213f489
                                        • Instruction Fuzzy Hash: C101D23A900619DFCB14EBA0DA41AAE7771FFD0720F244849F405AB2D2DF749E06C791
                                        Function 00A42B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42B27
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42B31
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A42B6B
                                        • std::_Facet_Register.LIBCPMT ref: 00A42B82
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42BA2
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: f57ab4cca41a1d52e5346c6d2eac5fb8d005a66a5f0c99857b4af7b875940eb7
                                        • Instruction ID: a63b41023d6d131b70a93e34e7b8500030fe52579b317b0cca906a41eb31f4f2
                                        • Opcode Fuzzy Hash: f57ab4cca41a1d52e5346c6d2eac5fb8d005a66a5f0c99857b4af7b875940eb7
                                        • Instruction Fuzzy Hash: 3601D23A900615DBCF14FBA4D941ABE7771BFC4720F254409F5046B2D2CFB49E068791
                                        Function 00A4EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4EB33
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4EB3D
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • moneypunct.LIBCPMT ref: 00A4EB77
                                        • std::_Facet_Register.LIBCPMT ref: 00A4EB8E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4EBAE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 45bfb7baca94857f1780fd004f070d271da4a102f6ba1d2ca9664748286ce59d
                                        • Instruction ID: 40eb9d6543ea0be0c27fb1c2fb466a974f94c13e9b5f66a70f9f019ad712ec7f
                                        • Opcode Fuzzy Hash: 45bfb7baca94857f1780fd004f070d271da4a102f6ba1d2ca9664748286ce59d
                                        • Instruction Fuzzy Hash: C201D23A900515DFCF04FBA0D981AAE7770BFC4710F258809F4156B2D2CFB49E068B91
                                        Function 00A42D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42D7B
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42D85
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • numpunct.LIBCPMT ref: 00A42DBF
                                        • std::_Facet_Register.LIBCPMT ref: 00A42DD6
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42DF6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                        • String ID:
                                        • API String ID: 743221004-0
                                        • Opcode ID: 3c28b951eabcacdea1255e7597e051b2da72646ce2a7fd548c8632e53a3f3c5b
                                        • Instruction ID: 6049ac0453cfc9beb209bdad2a958822ea594bfc367d8fa66d3560cafe635a99
                                        • Opcode Fuzzy Hash: 3c28b951eabcacdea1255e7597e051b2da72646ce2a7fd548c8632e53a3f3c5b
                                        • Instruction Fuzzy Hash: 1101C039900215DBCB04EBA4DA41BBEB7A0BFD4710F654809F414AB2D2CF749E018790
                                        Function 00A52C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C58
                                        • LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,00A32427,00A8E638,00A76B40), ref: 00A52C8B
                                        • RtlWakeAllConditionVariable.NTDLL ref: 00A52D02
                                        • SetEvent.KERNEL32(?,00A32427,00A8E638,00A76B40), ref: 00A52D0C
                                        • ResetEvent.KERNEL32(?,00A32427,00A8E638,00A76B40), ref: 00A52D18
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                        • String ID:
                                        • API String ID: 3916383385-0
                                        • Opcode ID: 0c33f89b8688713fe588d746d1a1b728879953aceeae8f202b001f14f21667b5
                                        • Instruction ID: 9514c8b05c54ed4262b53c3831702d53cb21fc4f3b2fb3ebac2593a16f7e872a
                                        • Opcode Fuzzy Hash: 0c33f89b8688713fe588d746d1a1b728879953aceeae8f202b001f14f21667b5
                                        • Instruction Fuzzy Hash: B901F631506120DFC715EF98FC48A997B75FB49761701846AF90697371DB305943DFA0
                                        Function 00A3BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,00000018,9666CEAE,?,00000000), ref: 00A3BBA3
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00A3BD7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AllocConcurrency::cancel_current_taskLocal
                                        • String ID: false$true
                                        • API String ID: 3924972193-2658103896
                                        • Opcode ID: 9c8ce238d0eb87fd4b079b68f9d795fde6ac58ca4b1ee837a0976203b03236ac
                                        • Instruction ID: c7525d1cddc64a82c0452e2231b3c2279b1313ede4c28f00ddc5df92354bf0b5
                                        • Opcode Fuzzy Hash: 9c8ce238d0eb87fd4b079b68f9d795fde6ac58ca4b1ee837a0976203b03236ac
                                        • Instruction Fuzzy Hash: AB6182B1D00748DBDB10DFA4C941BDEBBF8FF14304F14826AE955AB281E7B5AA44CB91
                                        Function 00A4D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4D3D2
                                          • Part of subcall function 00A4254E: __EH_prolog3.LIBCMT ref: 00A42555
                                          • Part of subcall function 00A4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00A4255F
                                          • Part of subcall function 00A4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00A425D0
                                        • _Find_elem.LIBCPMT ref: 00A4D46E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: %.0Lf$0123456789-
                                        • API String ID: 2544715827-3094241602
                                        • Opcode ID: 2488bb6de8caedf292a6adb8fa83fa2606ce81103e40bd8136cf757010ebf693
                                        • Instruction ID: 8a9e2ced955c0c63b85fa993108ca70299eddbfe89b7d2a6d3e82ea5bdd2f595
                                        • Opcode Fuzzy Hash: 2488bb6de8caedf292a6adb8fa83fa2606ce81103e40bd8136cf757010ebf693
                                        • Instruction Fuzzy Hash: 9741AF36900218DFCF05DFA4C980ADEBBB5FF98314F104159F815AB255DB70EA56CBA2
                                        Function 00A4D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4D676
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38657
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38679
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A386A1
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3880E
                                        • _Find_elem.LIBCPMT ref: 00A4D712
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789-$0123456789-
                                        • API String ID: 3042121994-2494171821
                                        • Opcode ID: 342b0c8d0ea0f799ddf0eaa975c53d398033511ae1bf64e5924d191b1eab3de6
                                        • Instruction ID: b2db812067b5f485593850e6cb4f280f35b03362e1fe465f7b92f183e35c9992
                                        • Opcode Fuzzy Hash: 342b0c8d0ea0f799ddf0eaa975c53d398033511ae1bf64e5924d191b1eab3de6
                                        • Instruction Fuzzy Hash: D1419C76900218DFCF15EFA8C980ADEBBB5FF58310F104159F815AB256DB30EA56CBA1
                                        Function 00A5175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A51761
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392A0
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392C2
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A392EA
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A39422
                                        • _Find_elem.LIBCPMT ref: 00A517FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789-$0123456789-
                                        • API String ID: 3042121994-2494171821
                                        • Opcode ID: 4227e31a7fc5b51ada2688e70dc3f4ee623c0255bc9dcb4384e66ce9fb7f86ff
                                        • Instruction ID: 7eaee983d5070e372c034699053bc32673a30f9401ae2187d7d183d15fc53e1a
                                        • Opcode Fuzzy Hash: 4227e31a7fc5b51ada2688e70dc3f4ee623c0255bc9dcb4384e66ce9fb7f86ff
                                        • Instruction Fuzzy Hash: 0D416B31900208EFCF15DFA8D981AEEBBB5BF08310F10455AF811AB252DB34DA46CF91
                                        Function 00A48386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4838D
                                          • Part of subcall function 00A41C42: _Maklocstr.LIBCPMT ref: 00A41C62
                                          • Part of subcall function 00A41C42: _Maklocstr.LIBCPMT ref: 00A41C7F
                                          • Part of subcall function 00A41C42: _Maklocstr.LIBCPMT ref: 00A41C9C
                                          • Part of subcall function 00A41C42: _Maklocchr.LIBCPMT ref: 00A41CAE
                                          • Part of subcall function 00A41C42: _Maklocchr.LIBCPMT ref: 00A41CC1
                                        • _Mpunct.LIBCPMT ref: 00A4841A
                                        • _Mpunct.LIBCPMT ref: 00A48434
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                        • String ID: $+xv
                                        • API String ID: 2939335142-1686923651
                                        • Opcode ID: b82a4062ab0b885b4eef965a8072ae4efd3929ea8c0aa5e81c131759fe707005
                                        • Instruction ID: afd624025df804f627cb16e10350503065e2038fd1735670cd6578ecfa8c7f3d
                                        • Opcode Fuzzy Hash: b82a4062ab0b885b4eef965a8072ae4efd3929ea8c0aa5e81c131759fe707005
                                        • Instruction Fuzzy Hash: 1E21E0B1804B926EDB25DF74C88077FBEF8AB48300F04065AE499C7A02D734E601CBA0
                                        Function 00A4FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Mpunct$H_prolog3
                                        • String ID: $+xv
                                        • API String ID: 4281374311-1686923651
                                        • Opcode ID: 153c68146aa36fe883e6f924d140840e8864674228f2d3b6ee8aa590e9f4041e
                                        • Instruction ID: 0721451b17996978ae3b62a44d9afefdd6da8e864d4ba55201334397d9b4ce67
                                        • Opcode Fuzzy Hash: 153c68146aa36fe883e6f924d140840e8864674228f2d3b6ee8aa590e9f4041e
                                        • Instruction Fuzzy Hash: C621A4B1904B916FDB25DF74C890B7BBEF8BB08301F04455AE499C7A42D774E605CB90
                                        Function 00A324C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00A31434,?,00000000), ref: 00A32569
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00A31434,?,00000000), ref: 00A32589
                                        • LocalFree.KERNEL32(?,00A31434,?,00000000), ref: 00A325DF
                                        • CloseHandle.KERNEL32(00000000,9666CEAE,?,00000000,00A73C40,000000FF,00000008,?,?,?,?,00A31434,?,00000000), ref: 00A32633
                                        • LocalFree.KERNEL32(?,9666CEAE,?,00000000,00A73C40,000000FF,00000008,?,?,?,?,00A31434), ref: 00A32647
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree$CloseHandle
                                        • String ID:
                                        • API String ID: 1291444452-0
                                        • Opcode ID: aae4a83e1148a2eb799667d9ca24e72509b82727be10a1a6df525714f4c9c2ab
                                        • Instruction ID: 6acb5315560b3571c2ef72ec85865ff27d844f9a840b7d2c46799bfc06d59579
                                        • Opcode Fuzzy Hash: aae4a83e1148a2eb799667d9ca24e72509b82727be10a1a6df525714f4c9c2ab
                                        • Instruction Fuzzy Hash: 4641F872600311ABC714DF78DC94B6ABBE8EB49360F20472AF526C72D0EB34D94587A0
                                        Function 00A71D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleOutputCP.KERNEL32(9666CEAE,?,00000000,?), ref: 00A71DFE
                                          • Part of subcall function 00A6A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A66F5E,?,00000000,-00000008), ref: 00A6AA67
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A72059
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A720A1
                                        • GetLastError.KERNEL32 ref: 00A72144
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                        • String ID:
                                        • API String ID: 2112829910-0
                                        • Opcode ID: 3f4164a6dc8a6fc199f0a1a71adbc537890981460a281e1b1ef37e67b0033870
                                        • Instruction ID: e532a0e2f44a04369b7902982d5a9189e17f9ac229c4aeee1a5a3886a9bbe20c
                                        • Opcode Fuzzy Hash: 3f4164a6dc8a6fc199f0a1a71adbc537890981460a281e1b1ef37e67b0033870
                                        • Instruction Fuzzy Hash: CED14875D002589FCF15CFA8DC80AEDBBB5FF09310F18866AE959E7251D730A946CB60
                                        Function 00A50116 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A5011D
                                        • collate.LIBCPMT ref: 00A50126
                                          • Part of subcall function 00A4EDF2: __EH_prolog3_GS.LIBCMT ref: 00A4EDF9
                                          • Part of subcall function 00A4EDF2: __Getcoll.LIBCPMT ref: 00A4EE5D
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • __Getcoll.LIBCPMT ref: 00A5016C
                                        • numpunct.LIBCPMT ref: 00A503C4
                                          • Part of subcall function 00A36330: LocalAlloc.KERNEL32(00000040,?,00A40E04,00000020,?,?,00A39942,00000000,9666CEAE,?,?,?,?,00A750DD,000000FF), ref: 00A36336
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                        • String ID:
                                        • API String ID: 259100098-0
                                        • Opcode ID: b1bc1350c4d0a5edca156d2e51ce3066980acefe9a128c0112278802ab2e6d95
                                        • Instruction ID: a72c9cefe2cb1d0915ba0355e8f3c7395c45ff6d892ac3581b4e5ddb65b30437
                                        • Opcode Fuzzy Hash: b1bc1350c4d0a5edca156d2e51ce3066980acefe9a128c0112278802ab2e6d95
                                        • Instruction Fuzzy Hash: 2091D771D023116FEB20BBB44E46F7F7AA8FF41761F10852DFD59AB281DA74890487A2
                                        Function 00A55A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 62c4f81d22dcac235018af71de13fae7590a7507a3bf4631d9139a7824d8d7d9
                                        • Instruction ID: 3741d10639deb842858b6ff7bf470aab50336251c25f606e008fecc27e454d1d
                                        • Opcode Fuzzy Hash: 62c4f81d22dcac235018af71de13fae7590a7507a3bf4631d9139a7824d8d7d9
                                        • Instruction Fuzzy Hash: C851F2B2E00B06AFDB289F64D969B6A77B4FF04312F154629ED0187191E731EC88C790
                                        Function 00A624E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0eafb92d87eeab80f3880e2278b9542fe2ff82208c182fe6548ffa77002d7643
                                        • Instruction ID: 25d361577e8e2cf7d714ef7a9bb5d181337b3f897579d98637dce54ce93c1f42
                                        • Opcode Fuzzy Hash: 0eafb92d87eeab80f3880e2278b9542fe2ff82208c182fe6548ffa77002d7643
                                        • Instruction Fuzzy Hash: 4A21DE71604A06AF9B30AF64DD61E6F77B8FF443607108925FC169B250EB34ED0097A0
                                        Function 00A36FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00A36FB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                        • API String ID: 1452528299-1781106413
                                        • Opcode ID: df73712fa1aaab722fa82bd4efaa6071c9d189697443658d498af7d9091bad8f
                                        • Instruction ID: 9878b42f61b41c98c48f30795a00fb29bf1d160cf69ceac7db024cc692fde1d6
                                        • Opcode Fuzzy Hash: df73712fa1aaab722fa82bd4efaa6071c9d189697443658d498af7d9091bad8f
                                        • Instruction Fuzzy Hash: 4B219F49E1022182CB742F38D51137EA6E0EF54754F64587FECC9DB390FAA98C828391
                                        Function 00A3F3D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A3F3E0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3F3EA
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3F48E
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00A3F499
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                        • String ID:
                                        • API String ID: 4244582100-0
                                        • Opcode ID: 133da6dc82f3e35e912282e34f40840d406be7db14ecb766a219f26e40aa8ecf
                                        • Instruction ID: a2097ccebb5eb1380b5b86da4883dcec3321e3bda25fa169b2475dd1ff87c29e
                                        • Opcode Fuzzy Hash: 133da6dc82f3e35e912282e34f40840d406be7db14ecb766a219f26e40aa8ecf
                                        • Instruction Fuzzy Hash: E0214C34A1061AEFCB04EF14D851AADB771FF48710F118469E9259B3A1CB70EE50CF80
                                        Function 00A3CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,9666CEAE), ref: 00A3CD1C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00A3CD3C
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00A3CD6D
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00A3CD86
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: 2725f3a3503cbef78ff924faa270eec4957072ad6c5ccb12e545b6d8b6440bba
                                        • Instruction ID: 539d52771758cca5daff394ff3b05892fe76ce0b4b3a11ea5a4fc3031304c2c8
                                        • Opcode Fuzzy Hash: 2725f3a3503cbef78ff924faa270eec4957072ad6c5ccb12e545b6d8b6440bba
                                        • Instruction Fuzzy Hash: 3A21B170941315ABD720DF54DC09FAEBBB8FB05B24F104229F504B72C0D7B46A068BE4
                                        Function 00A422FA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42301
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4230B
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4235C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4237C
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 420cf4e59b5d9454ca37568923d845a7f308c5cc2c9cfb3b0814f73ab097ae49
                                        • Instruction ID: 3a79ba188dfb04fbb01a4880caa4d78ec1aa4a8c0102364d25f06f871f80ce11
                                        • Opcode Fuzzy Hash: 420cf4e59b5d9454ca37568923d845a7f308c5cc2c9cfb3b0814f73ab097ae49
                                        • Instruction Fuzzy Hash: 1A01D23A900615DFCF14EBA4E941ABEB7B0BFC0720F254509F510AB2D1CF78AE058B90
                                        Function 00A3D6BD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A3D6C4
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3D6CE
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A3D71F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D73F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: c52daa9f281455b2d9cfe2d93531a75653c874198697fdc074130d2ba326bce7
                                        • Instruction ID: ca23bf77452b4a2e1211b71e430670f161a52c882b159ab879a387300e9fdf00
                                        • Opcode Fuzzy Hash: c52daa9f281455b2d9cfe2d93531a75653c874198697fdc074130d2ba326bce7
                                        • Instruction Fuzzy Hash: E601DE36900619DFCB05EBA0EA42AAE77B0BF90710F240809F800AB2D2CF749E058B90
                                        Function 00A427A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A427A9
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A427B3
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42804
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42824
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 2dec2dd0ec488183a1eb17c3635dbe43a637c4babc838623b07ca25b7dad28bd
                                        • Instruction ID: 7ae89d64eab60f11d4a5001b8e4ee05f6ff5464bf23cfbac700fc21951ec6f31
                                        • Opcode Fuzzy Hash: 2dec2dd0ec488183a1eb17c3635dbe43a637c4babc838623b07ca25b7dad28bd
                                        • Instruction Fuzzy Hash: 3001D23A900215DBCF15EBA4DA41AAE7771BFD4720F240409F9046B2D2CF749E05CBA1
                                        Function 00A3D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A3D7EE
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3D7F8
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A3D849
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D869
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: abb8f34d89bb3e8a0491d61a7e8bca80717cbdb0bab5729177886076b43d884a
                                        • Instruction ID: effb4aeba1e6854bba4fad7a31be5232fd651c61bfd1aad4e3cfc40aad9c2237
                                        • Opcode Fuzzy Hash: abb8f34d89bb3e8a0491d61a7e8bca80717cbdb0bab5729177886076b43d884a
                                        • Instruction Fuzzy Hash: DA01F136900619DFCF15FBA4EA42ABE77B1BF90720F244409F500AB2D1CF74AE018B91
                                        Function 00A4270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42714
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4271E
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4276F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4278F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 14e7a4c4017570618205d7ec261397536cdbf62288f5b98700cc6dc332db65cd
                                        • Instruction ID: 49f6d805cbccbcddd710a2ff0dd9a6800b9840f048d080d4d2224687e924111d
                                        • Opcode Fuzzy Hash: 14e7a4c4017570618205d7ec261397536cdbf62288f5b98700cc6dc332db65cd
                                        • Instruction Fuzzy Hash: 9101C03A900215DBCF04EBA09A45AAE7B71BFD4710F240909F8146B2D2CF749E058B90
                                        Function 00A3D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A3D759
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3D763
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A3D7B4
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D7D4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 36908e68e476cf5139d1b61b68c5b3f50cf04f93061b50ed3570762de58719a7
                                        • Instruction ID: f04879a6d938438a0acb78d165629ce6adcce4d18a8e1060008b2ebbf7d54936
                                        • Opcode Fuzzy Hash: 36908e68e476cf5139d1b61b68c5b3f50cf04f93061b50ed3570762de58719a7
                                        • Instruction Fuzzy Hash: 4B01DE36900219DFCF04EBA0EA42AAE77B1BF80714F240809F914AB2D2CF749E05CB90
                                        Function 00A428CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A428D3
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A428DD
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4292E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4294E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 54d484b275a24da60462c0356264fa994e20545bede862496aa72156bf3a1af1
                                        • Instruction ID: 94fa119268371b147ab71998e7ca678976c534ffbf031ba3859d5c150d1764e9
                                        • Opcode Fuzzy Hash: 54d484b275a24da60462c0356264fa994e20545bede862496aa72156bf3a1af1
                                        • Instruction Fuzzy Hash: F501D23A900615DBCB04EBA0DA51BBE77B1BFC4720F244809F514AB2D2CFB49E058BD0
                                        Function 00A42837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4283E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42848
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42899
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A428B9
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: ab3d3b2dfa60939ee05f47c9f66c799e9c7dc69223e63abe27a64f547bdfb8af
                                        • Instruction ID: e61cc8f3f69d3928809302c765fdaad164c1d9eaf4d9fe7fcec115839cd29854
                                        • Opcode Fuzzy Hash: ab3d3b2dfa60939ee05f47c9f66c799e9c7dc69223e63abe27a64f547bdfb8af
                                        • Instruction Fuzzy Hash: 8101C03AD00525DFCB04EBA0DA41ABE77A1BFD0710F240909F514AB2D2CF749E058B91
                                        Function 00A4E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4E974
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4E97E
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4E9CF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4E9EF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: bb4d83aa3123090b54c24fee9ff75aee27b582250948cc9c9966d7de07f53406
                                        • Instruction ID: 4ba43c40e18e541fca27c209f1911fc2ebcf25d3c1364f6fc02cf366cb3dea7a
                                        • Opcode Fuzzy Hash: bb4d83aa3123090b54c24fee9ff75aee27b582250948cc9c9966d7de07f53406
                                        • Instruction Fuzzy Hash: FA01F539900125DFCB15EBA4DA42ABEB7B4BFC0711F254949F5106B2D2CF749E01C791
                                        Function 00A4EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4EA09
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4EA13
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4EA64
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4EA84
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 1b57a8ef78266326b45898ea8ee96b60bece0de64e4dc8d9b5dfd188d77408e1
                                        • Instruction ID: 225cf6eb3a3176e40a242bb109d08c45a7a8c3f3d8b5f7003845c7cbb38c6dd7
                                        • Opcode Fuzzy Hash: 1b57a8ef78266326b45898ea8ee96b60bece0de64e4dc8d9b5dfd188d77408e1
                                        • Instruction Fuzzy Hash: 2D01D239900215DFCF04EBA0DA45AAE77B0BFD4721F2A4919F4006B2D2CF749E058B91
                                        Function 00A42BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42BBC
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42BC6
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42C17
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42C37
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 76b0c4fbeb263e0ae346cf45ce26cf16361abfada0c3abca7f232a422737b846
                                        • Instruction ID: 0b2c43a00c7bf1029f9971676f2a6266df8dd769148705760994e32fb040bab1
                                        • Opcode Fuzzy Hash: 76b0c4fbeb263e0ae346cf45ce26cf16361abfada0c3abca7f232a422737b846
                                        • Instruction Fuzzy Hash: CA01D23A900619DBCF18FBA4DA41AAE77B0BFD0710F254809F900AB2D2CF749E05CB90
                                        Function 00A4EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4EBC8
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4EBD2
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4EC23
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4EC43
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: fdaf0b159a1576c6a576a7a46d5ea5a3f788100af3828b45aae27fac8cbe595c
                                        • Instruction ID: ba1c131b75603b00e9515c8d2beba976e2446f580c3634b4d4d66a9d5da44449
                                        • Opcode Fuzzy Hash: fdaf0b159a1576c6a576a7a46d5ea5a3f788100af3828b45aae27fac8cbe595c
                                        • Instruction Fuzzy Hash: 4801F53A900115DFCB14EBA0DA46ABE77B0BFD0710F240849F514AB2D2DF74AE0187D1
                                        Function 00A42CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42CE6
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42CF0
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42D41
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42D61
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 940785aac6885c3cd1e64a2c48f0161d13c20e001bb37a884bde812c11769381
                                        • Instruction ID: ad7771aff118b227933d4bad8e341840ae30d15518c5f47d345dc5907e5d6516
                                        • Opcode Fuzzy Hash: 940785aac6885c3cd1e64a2c48f0161d13c20e001bb37a884bde812c11769381
                                        • Instruction Fuzzy Hash: 9301CC3AD00219DBCB15EBA0AA41BAE77B1BFC4710F240509F514AB2D2CFB49E06CB91
                                        Function 00A42C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42C51
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42C5B
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42CAC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42CCC
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 0722e903a82016cd7ebc542916709d972f2fe87f6770cd57045c5413264341d7
                                        • Instruction ID: 590c6bd26c5a45f535fcf7d879da1ffca27703744ebe94c0d39da6ad9efa5add
                                        • Opcode Fuzzy Hash: 0722e903a82016cd7ebc542916709d972f2fe87f6770cd57045c5413264341d7
                                        • Instruction Fuzzy Hash: 7901DE3A901219DBCB14EBA4DA81BBE77B0BFC4710F254409F510AB3D1CF789E018BA0
                                        Function 00A4EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A4EC5D
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A4EC67
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A4ECB8
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4ECD8
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: b0dba2cc80a9c04dce07e57eed4223bc2e43e11e7f8a18a26fa3fcb720fe9d5f
                                        • Instruction ID: ef4b4130ad974ab1c768d2a8fe7ac9134ba615f21b0f0f525cdc69bee4f9b48d
                                        • Opcode Fuzzy Hash: b0dba2cc80a9c04dce07e57eed4223bc2e43e11e7f8a18a26fa3fcb720fe9d5f
                                        • Instruction Fuzzy Hash: 3B01D23AD00215DFCB05EBA4DA81AAE7771BFC0720F254409F501AB2D1CF749E01C791
                                        Function 00A42E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42EA5
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42EAF
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42F00
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42F20
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: ada222320ffd5db3e798d7ed7691a5ea789dc294296d8d5a5a9b2884a0303b4b
                                        • Instruction ID: 452fe3d884fa0d8b5de08e7a8b607ee036e86a3de33561c4fa58cf9a930928d1
                                        • Opcode Fuzzy Hash: ada222320ffd5db3e798d7ed7691a5ea789dc294296d8d5a5a9b2884a0303b4b
                                        • Instruction Fuzzy Hash: D601DE3A900219DBCB05EBA0DA42ABE77B0BFD4710F640819F914AB2D2CF749E05CB90
                                        Function 00A42E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42E10
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42E1A
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42E6B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42E8B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 24f96684cd1015604fa93d9bf8b72d5e58545233d508c7c7421e33bc554e26ac
                                        • Instruction ID: c393dd9c1f074b04931f1c84e168763120a7102611b71be2b18102908952717d
                                        • Opcode Fuzzy Hash: 24f96684cd1015604fa93d9bf8b72d5e58545233d508c7c7421e33bc554e26ac
                                        • Instruction Fuzzy Hash: 4101D63A900519DFCB04EBA4D942AAE7771BFD4710F244909F914672D1CF749E058790
                                        Function 00A42F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00A42F3A
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A42F44
                                          • Part of subcall function 00A38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00A38C50
                                          • Part of subcall function 00A38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00A38C78
                                        • std::_Facet_Register.LIBCPMT ref: 00A42F95
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00A42FB5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 5d2ccaec8230b0d808205190a830df79479c8c704513c498a1795bca68c66cef
                                        • Instruction ID: ce4cebf20f8fe44257d58a5421fbc75fb9c9294db78674bb452a6afe04f37176
                                        • Opcode Fuzzy Hash: 5d2ccaec8230b0d808205190a830df79479c8c704513c498a1795bca68c66cef
                                        • Instruction Fuzzy Hash: D501C039900515DBCB04EBA09A41ABEB7B1BFD4710F644909F404AB2D2CF749E05CB90
                                        Function 00A73686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00A73053,?,00000001,?,?,?,00A72198,?,?,00000000), ref: 00A7369D
                                        • GetLastError.KERNEL32(?,00A73053,?,00000001,?,?,?,00A72198,?,?,00000000,?,?,?,00A7271F,?), ref: 00A736A9
                                          • Part of subcall function 00A7366F: CloseHandle.KERNEL32(FFFFFFFE,00A736B9,?,00A73053,?,00000001,?,?,?,00A72198,?,?,00000000,?,?), ref: 00A7367F
                                        • ___initconout.LIBCMT ref: 00A736B9
                                          • Part of subcall function 00A73631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A73660,00A73040,?,?,00A72198,?,?,00000000,?), ref: 00A73644
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00A73053,?,00000001,?,?,?,00A72198,?,?,00000000,?), ref: 00A736CE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: f22b6b818874363ba4c1e3bbfb0a8eb0401b4e7eb02d035e36e2f295fae9008b
                                        • Instruction ID: 6d81fe0a98062c31bfd2dafb3f5021273508ea89e63f199679f012191151c752
                                        • Opcode Fuzzy Hash: f22b6b818874363ba4c1e3bbfb0a8eb0401b4e7eb02d035e36e2f295fae9008b
                                        • Instruction Fuzzy Hash: 6EF0F236504158BBCF22AFD5AC0898E3E66FB083A1B01C090FA1D96220C6328961ABA0
                                        Function 00A52D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,00A52CBD,00000064), ref: 00A52D43
                                        • LeaveCriticalSection.KERNEL32(00A8DD3C,?,?,00A52CBD,00000064,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52D4D
                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00A52CBD,00000064,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52D5E
                                        • EnterCriticalSection.KERNEL32(00A8DD3C,?,00A52CBD,00000064,?,?,?,00A323B6,00A8E638,9666CEAE,?,?,00A73D6D,000000FF), ref: 00A52D65
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID:
                                        • API String ID: 3269011525-0
                                        • Opcode ID: e673656f9836936fe48e8192354fa217441fd1ac0d2e54c76e242583ad21e9f1
                                        • Instruction ID: fce623579846d75e2339ea34dae522611b0b9ed58e5cd67463fceabcc0e717f4
                                        • Opcode Fuzzy Hash: e673656f9836936fe48e8192354fa217441fd1ac0d2e54c76e242583ad21e9f1
                                        • Instruction Fuzzy Hash: 2AE09A32606124BBCB127BC0EC08A8E3F39BF09B21B004420F909661B2C66019838BD1
                                        Function 00A3EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A3EC8E
                                          • Part of subcall function 00A3D87C: __EH_prolog3.LIBCMT ref: 00A3D883
                                          • Part of subcall function 00A3D87C: std::_Lockit::_Lockit.LIBCPMT ref: 00A3D88D
                                          • Part of subcall function 00A3D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3D8FE
                                        • _Find_elem.LIBCPMT ref: 00A3EE8A
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 00A3ECF6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 2544715827-2799312399
                                        • Opcode ID: 775d179c7e539b5131827377b538ba29d9915a032ff21a9b23a7fdbecb44ac6d
                                        • Instruction ID: c5ead49f3c84c77cb13600487ed9b6eed60ac0d903ae0d47e47358f54d9ea955
                                        • Opcode Fuzzy Hash: 775d179c7e539b5131827377b538ba29d9915a032ff21a9b23a7fdbecb44ac6d
                                        • Instruction Fuzzy Hash: 06C15B34E042889FDF25DBA8C550BECBBB2AF55300F2840AAF8956B2C7D7719D46CB51
                                        Function 00A462BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A462C8
                                          • Part of subcall function 00A42D74: __EH_prolog3.LIBCMT ref: 00A42D7B
                                          • Part of subcall function 00A42D74: std::_Lockit::_Lockit.LIBCPMT ref: 00A42D85
                                          • Part of subcall function 00A42D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00A42DF6
                                        • _Find_elem.LIBCPMT ref: 00A46502
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 00A4633F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 2544715827-2799312399
                                        • Opcode ID: 0cebc443a1289d359817d73eaa65e837c79eee298774aadd1968c14e35162eaa
                                        • Instruction ID: 8edde1d19922615b0e0bc8c8e335a0bcb6d05015710aba5e6cb35e08180f881b
                                        • Opcode Fuzzy Hash: 0cebc443a1289d359817d73eaa65e837c79eee298774aadd1968c14e35162eaa
                                        • Instruction Fuzzy Hash: 85C1B978E042588FDF25DF64C9417EDBBB2BF92304F548099D849AB287DB349C85CB52
                                        Function 00A46694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4669E
                                          • Part of subcall function 00A3B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00A3B8DD
                                          • Part of subcall function 00A3B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00A3B900
                                          • Part of subcall function 00A3B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B928
                                          • Part of subcall function 00A3B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3B9B7
                                        • _Find_elem.LIBCPMT ref: 00A468D8
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 00A46715
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 3042121994-2799312399
                                        • Opcode ID: 519c1280306f290c3009727e204e2ddb9e9490e5815d0e029493c285d8ba17cf
                                        • Instruction ID: 2888bccaee588c6e0e052c16f286c3e7014fc6ae7db14cdaec408e70f8c7397f
                                        • Opcode Fuzzy Hash: 519c1280306f290c3009727e204e2ddb9e9490e5815d0e029493c285d8ba17cf
                                        • Instruction Fuzzy Hash: 36C1A638E042588FDF25DF64C9417EDBBB2BF92304F548099D889AB283DB749D85CB52
                                        Function 00A61A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00A61AFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 324fcde32bc8a2041578c4fba722d137abb2f86e311bc224ed8ab8c8f7dd0a04
                                        • Instruction ID: 0a81ae8c6a39a5240421fef1325dfbab39c239fab81d96243bd624a8613013ae
                                        • Opcode Fuzzy Hash: 324fcde32bc8a2041578c4fba722d137abb2f86e311bc224ed8ab8c8f7dd0a04
                                        • Instruction Fuzzy Hash: 15517D71A49201CACB11B754CE113BE7FB0EB60751F388958E0D6963F8EA358CD69E87
                                        Function 00A51E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 3732870572-1956417402
                                        • Opcode ID: dfc93b542cd22feccfb38294034c2107f7b1789078d22a09117c68aca351f9db
                                        • Instruction ID: 2419b1b88ce5833382043b6a264cc41d306cc44cbe50cccc018d119be89b4160
                                        • Opcode Fuzzy Hash: dfc93b542cd22feccfb38294034c2107f7b1789078d22a09117c68aca351f9db
                                        • Instruction Fuzzy Hash: 0F51D270B04285AADF258F6CC885BBE7BB5BF46352F14446AEC92D7281C3748D4DC761
                                        Function 00A3BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00A3BF6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID: false$true
                                        • API String ID: 118556049-2658103896
                                        • Opcode ID: df57f3961246977039df045c73900190277a0878b15d7fe75562767cfa51ebf2
                                        • Instruction ID: d9f8c1ac24cf2cfcdded9fcd64899b1c1759d24c65f738a3f8dfa47aff9cbbdf
                                        • Opcode Fuzzy Hash: df57f3961246977039df045c73900190277a0878b15d7fe75562767cfa51ebf2
                                        • Instruction Fuzzy Hash: DC51C7B5D007489FDB10DFA4C941BEEB7B8FF05304F14426AF945A7241E774A585CB61
                                        Function 00A370A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 0-3019864461
                                        • Opcode ID: bbc22251974b9b750b0b78283a7e29626287592298f28e0361ca1f41f1772e62
                                        • Instruction ID: e3d288c5c508dc5ca366b4c45aa9cb99c855cc9a97d90b7a70a0dd6cd70b5675
                                        • Opcode Fuzzy Hash: bbc22251974b9b750b0b78283a7e29626287592298f28e0361ca1f41f1772e62
                                        • Instruction Fuzzy Hash: 6551D4B1E042049BDB24DFA4D946BEEB7B5FF54314F10461DF801B7290DBB56988CB90
                                        Function 00A4D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4D501
                                        • _swprintf.LIBCMT ref: 00A4D573
                                          • Part of subcall function 00A4254E: __EH_prolog3.LIBCMT ref: 00A42555
                                          • Part of subcall function 00A4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00A4255F
                                          • Part of subcall function 00A4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00A425D0
                                          • Part of subcall function 00A42FC8: __EH_prolog3.LIBCMT ref: 00A42FCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 3050236999-1402515088
                                        • Opcode ID: 6dda3ae6f5ddee4ab8477aa356766281b488143d83e372be8438af845b1ee09d
                                        • Instruction ID: 64f5787b1955797e5ae0c21849131b9da3068cbaa33ce59a6a9a3a6549f26c70
                                        • Opcode Fuzzy Hash: 6dda3ae6f5ddee4ab8477aa356766281b488143d83e372be8438af845b1ee09d
                                        • Instruction Fuzzy Hash: D7415875D00208ABCF05EFE4CD45ADDBBB5FF98300F208549E846AB295EB359915CF91
                                        Function 00A4D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A4D7A5
                                        • _swprintf.LIBCMT ref: 00A4D817
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38657
                                          • Part of subcall function 00A38610: std::_Lockit::_Lockit.LIBCPMT ref: 00A38679
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A386A1
                                          • Part of subcall function 00A38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00A3880E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 1487807907-1402515088
                                        • Opcode ID: 6ec264cead17b17a903cdae920b341664c279d396b182e6f610467f25a4d5a2a
                                        • Instruction ID: 3654409df7fd264e9fbb99dd63beb375f27cdb930dc7b7830debc9f7494fb6f2
                                        • Opcode Fuzzy Hash: 6ec264cead17b17a903cdae920b341664c279d396b182e6f610467f25a4d5a2a
                                        • Instruction Fuzzy Hash: 1C415975E00208ABCF05DFE4DD45AEE7BB5FB48310F208459F845AB295EB359916CF90
                                        Function 00A51887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00A5188E
                                        • _swprintf.LIBCMT ref: 00A51900
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392A0
                                          • Part of subcall function 00A39270: std::_Lockit::_Lockit.LIBCPMT ref: 00A392C2
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A392EA
                                          • Part of subcall function 00A39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00A39422
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 1487807907-1402515088
                                        • Opcode ID: 7a1b7976b2c7607d10d75e9e18cd54f1b26a4b6f20e76fcf20f7605b133a9cc4
                                        • Instruction ID: 2ca520586409b8d5e83059450e0934fffb40badb1f744abf0b5e01a19c20e5f1
                                        • Opcode Fuzzy Hash: 7a1b7976b2c7607d10d75e9e18cd54f1b26a4b6f20e76fcf20f7605b133a9cc4
                                        • Instruction Fuzzy Hash: 954147B1E00208ABCF05DFE4DD55AED7BB5FB08300F208549F856AB291DB359919CB90
                                        Function 00A56059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A5607E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: MOC$RCC
                                        • API String ID: 2118026453-2084237596
                                        • Opcode ID: 123713a8d86e4c771714e158e7d7a5ba61f9872f6802f0f37aec221064d43899
                                        • Instruction ID: a208ab829e7e9ddf99a8a472c7078b7eae2af3bcffebdf1c4b39bce4ffee8081
                                        • Opcode Fuzzy Hash: 123713a8d86e4c771714e158e7d7a5ba61f9872f6802f0f37aec221064d43899
                                        • Instruction Fuzzy Hash: CF417872900609EFCF15DF98CD81AAEBBB5BF48305F188259FE0867252D3359954DB50
                                        Function 00A4DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: H_prolog3___cftoe
                                        • String ID: !%x
                                        • API String ID: 855520168-1893981228
                                        • Opcode ID: 53bed629f0814054e21bf6de6f86aa8dedae1d9321016a39f90a71adcce0973e
                                        • Instruction ID: f931352b48a216a03dab82bb50d4f0e748c6413d70dc5cfb3c241ca9f8bd9da2
                                        • Opcode Fuzzy Hash: 53bed629f0814054e21bf6de6f86aa8dedae1d9321016a39f90a71adcce0973e
                                        • Instruction Fuzzy Hash: 84316975D0120DEBDF04EF94E981AEEB7B6FF88304F204419F805A7251DB75AA49CB64
                                        Function 00A519FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: H_prolog3___cftoe
                                        • String ID: !%x
                                        • API String ID: 855520168-1893981228
                                        • Opcode ID: 9e37320664234179ee3444fc5b2d006090baa7d5fa2aae12ef9b579166e1b189
                                        • Instruction ID: 09291ec5b39c16897afa20a0b84d7e719d404f0ef7f2368493a00f98b0be99b6
                                        • Opcode Fuzzy Hash: 9e37320664234179ee3444fc5b2d006090baa7d5fa2aae12ef9b579166e1b189
                                        • Instruction Fuzzy Hash: CB31AA72D05248AFEF01DF94E881BEEBBB5FF18340F104009F944A7242D7349A49CBA0
                                        Function 00A35F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00A35F86
                                        • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,9666CEAE), ref: 00A35FF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: ConvertFreeLocalString
                                        • String ID: Invalid SID
                                        • API String ID: 3201929900-130637731
                                        • Opcode ID: 28ce83337d8ee8988985f67253203f5e83ea5ddefe87408d0401f0c4f1277075
                                        • Instruction ID: fbd6829c693a8d27af8e1ef32d04db04e2b638e042d29f94c9942c06bfc44b41
                                        • Opcode Fuzzy Hash: 28ce83337d8ee8988985f67253203f5e83ea5ddefe87408d0401f0c4f1277075
                                        • Instruction Fuzzy Hash: 81219074A04605ABDB14DFA8C815BAFBBF8FF44714F10491DE406A7380D7B56A45CBD0
                                        Function 00A39070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00A3909B
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A390FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                        • String ID: bad locale name
                                        • API String ID: 3988782225-1405518554
                                        • Opcode ID: 0d6503cd83c3b908d0f1cbd16f6259e0b698ac436638faed75b343e1fac71e5e
                                        • Instruction ID: 293c59941e0a521f3738357af5e17cf034d0ef3a3bfa578abd1eb2174b8bb9fa
                                        • Opcode Fuzzy Hash: 0d6503cd83c3b908d0f1cbd16f6259e0b698ac436638faed75b343e1fac71e5e
                                        • Instruction Fuzzy Hash: 1021D570805784EED721CFA8C90474BBFF4EF19710F108A9DE49597781D3B5A604CBA1
                                        Function 00A3F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: false$true
                                        • API String ID: 2427045233-2658103896
                                        • Opcode ID: 92713a686377050fdda7a0803353accfd5dceda73b114575638508d30b3413ee
                                        • Instruction ID: b4de2a3540c411946922765482bcff5913e84b603d0ba9fea94fe0a0cba58137
                                        • Opcode Fuzzy Hash: 92713a686377050fdda7a0803353accfd5dceda73b114575638508d30b3413ee
                                        • Instruction Fuzzy Hash: FC118175D41B84AEC724EFB4D941B8AB7F4AB15300F04C52AF996DB641EB70A6448B50
                                        Function 00A34070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalFree.KERNEL32(00000000,00A34261,00A74400,000000FF,9666CEAE,00000000,?,00000000,?,?,?,00A74400,000000FF,?,00A33A75,?), ref: 00A34096
                                        • LocalAlloc.KERNEL32(00000040,40000022,9666CEAE,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00A34154
                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,9666CEAE,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00A34177
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A34217
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree
                                        • String ID:
                                        • API String ID: 2012307162-0
                                        • Opcode ID: a4a81fb79f75bb75f424b51e221ff3f419f8826c6844459728b3ac5963211dd5
                                        • Instruction ID: e57e752e3425a05c0b2e4ac63ceebe292b5553121b637f1642f8378b464eb5a9
                                        • Opcode Fuzzy Hash: a4a81fb79f75bb75f424b51e221ff3f419f8826c6844459728b3ac5963211dd5
                                        • Instruction Fuzzy Hash: B9519E71A006059FDB18DFA8C985AAEBBB5FB48350F14862DF929E7390D731AD41CB90
                                        Function 00A31D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00A31E01
                                        • LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00A31E21
                                        • LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00A31EA7
                                        • LocalFree.KERNEL32(00000001,9666CEAE,00000000,00000000,00A73C40,000000FF,?,00000000), ref: 00A31F2D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1771376287.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true
                                        • Associated: 00000004.00000002.1771349325.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771453580.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771537227.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.1771656653.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_a30000_MSI704E.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree
                                        • String ID:
                                        • API String ID: 2012307162-0
                                        • Opcode ID: 8776f316c9addba5bdefa545b7bb935671498b27a03a5d5c208f68bda9da5ee5
                                        • Instruction ID: a3a15737d3ef65659e7fc3838659164549a8f58766e7f1d3daacc08725798a10
                                        • Opcode Fuzzy Hash: 8776f316c9addba5bdefa545b7bb935671498b27a03a5d5c208f68bda9da5ee5
                                        • Instruction Fuzzy Hash: 9D5104726082159FC715DF68DC80A6BB7E8FF89360F210B2EF856D7290DB31D9448B91

                                        Execution Graph

                                        Execution Coverage:1.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:389
                                        Total number of Limit Nodes:10
                                        execution_graph 32682 193084 32683 193090 __FrameHandler3::FrameUnwindToState 32682->32683 32708 192de4 32683->32708 32685 193097 32686 1931ea 32685->32686 32697 1930c1 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 32685->32697 32742 1933a8 4 API calls 2 library calls 32686->32742 32688 1931f1 32743 1a2ed9 23 API calls __FrameHandler3::FrameUnwindToState 32688->32743 32690 1931f7 32744 1a2e9d 23 API calls __FrameHandler3::FrameUnwindToState 32690->32744 32692 1931ff 32693 1930e0 32694 193161 32719 1934c3 GetStartupInfoW ctype 32694->32719 32696 193167 32720 17cdb0 GetCommandLineW 32696->32720 32697->32693 32697->32694 32741 1a2eb3 41 API calls 3 library calls 32697->32741 32709 192ded 32708->32709 32745 1935a9 IsProcessorFeaturePresent 32709->32745 32711 192df9 32746 1958dc 10 API calls 2 library calls 32711->32746 32713 192dfe 32718 192e02 32713->32718 32747 1a393e 32713->32747 32716 192e19 32716->32685 32718->32685 32719->32696 32721 17cdf8 32720->32721 32806 171f80 LocalAlloc 32721->32806 32723 17ce09 32807 1769a0 32723->32807 32725 17ce58 32726 17ce5c 32725->32726 32727 17ce69 32725->32727 32897 176600 98 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 32726->32897 32815 17c6a0 LocalAlloc LocalAlloc 32727->32815 32730 17ce65 32732 17ceb0 ExitProcess 32730->32732 32731 17ce72 32816 17c870 32731->32816 32737 17cea4 32899 17cec0 LocalFree LocalFree 32737->32899 32738 17ce9a 32898 17cce0 CreateFileW SetFilePointer WriteFile CloseHandle 32738->32898 32741->32694 32742->32688 32743->32690 32744->32692 32745->32711 32746->32713 32751 1abedb 32747->32751 32750 1958fb 7 API calls 2 library calls 32750->32718 32752 1abeeb 32751->32752 32753 192e0b 32751->32753 32752->32753 32755 1a6d2d 32752->32755 32753->32716 32753->32750 32756 1a6d39 __FrameHandler3::FrameUnwindToState 32755->32756 32767 1a1c9a EnterCriticalSection 32756->32767 32758 1a6d40 32768 1ac4cc 32758->32768 32763 1a6d6f 32763->32752 32764 1a6d59 32782 1a6c7d GetStdHandle GetFileType 32764->32782 32766 1a6d5e 32783 1a6d84 LeaveCriticalSection std::_Lockit::~_Lockit 32766->32783 32767->32758 32769 1ac4d8 __FrameHandler3::FrameUnwindToState 32768->32769 32770 1ac502 32769->32770 32771 1ac4e1 32769->32771 32784 1a1c9a EnterCriticalSection 32770->32784 32792 197370 14 API calls std::_Stodx_v2 32771->32792 32774 1ac4e6 32793 197017 41 API calls collate 32774->32793 32776 1a6d4f 32776->32766 32781 1a6bc7 44 API calls 32776->32781 32777 1ac53a 32794 1ac561 LeaveCriticalSection std::_Lockit::~_Lockit 32777->32794 32779 1ac50e 32779->32777 32785 1ac41c 32779->32785 32781->32764 32782->32766 32783->32763 32784->32779 32795 1a70bb 32785->32795 32787 1ac43b 32803 1a53b8 14 API calls 2 library calls 32787->32803 32788 1ac42e 32788->32787 32802 1a776f 6 API calls std::_Locinfo::_Locinfo_ctor 32788->32802 32791 1ac490 32791->32779 32792->32774 32793->32776 32794->32776 32801 1a70c8 __cftoe 32795->32801 32796 1a7108 32805 197370 14 API calls std::_Stodx_v2 32796->32805 32797 1a70f3 RtlAllocateHeap 32799 1a7106 32797->32799 32797->32801 32799->32788 32801->32796 32801->32797 32804 1abf83 EnterCriticalSection LeaveCriticalSection __cftoe 32801->32804 32802->32788 32803->32791 32804->32801 32805->32799 32806->32723 32809 1769f2 32807->32809 32808 176a34 32810 192937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 32808->32810 32809->32808 32812 176a22 32809->32812 32811 176a42 32810->32811 32811->32725 32900 192937 32812->32900 32814 176a30 32814->32725 32815->32731 32817 17c889 32816->32817 32820 17cb32 32816->32820 32818 17cb92 32817->32818 32817->32820 32908 176250 14 API calls 32818->32908 32823 176a50 32820->32823 32821 17cba2 RegOpenKeyExW 32821->32820 32822 17cbc0 RegQueryValueExW 32821->32822 32822->32820 32824 176a84 32823->32824 32825 176aa3 GetCurrentProcess OpenProcessToken 32823->32825 32826 192937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 32824->32826 32829 176adf 32825->32829 32830 176b09 32825->32830 32827 176a9f 32826->32827 32827->32737 32827->32738 32831 176af4 CloseHandle 32829->32831 32832 176b02 32829->32832 32909 175de0 32830->32909 32831->32832 32957 1757c0 GetCurrentProcess OpenProcessToken 32832->32957 32836 176b20 32839 171770 42 API calls 32836->32839 32837 176b2e 32840 176b32 32837->32840 32841 176b3f 32837->32841 32838 176c29 32842 176ddb 32838->32842 32847 176c43 32838->32847 32839->32829 32843 171770 42 API calls 32840->32843 32912 175f40 ConvertSidToStringSidW 32841->32912 32845 172310 56 API calls 32842->32845 32843->32829 32848 176e04 32845->32848 32962 172310 32847->32962 32854 1746f0 52 API calls 32848->32854 32891 176d8a 32848->32891 32863 176e29 32854->32863 32855 176b85 32943 172e60 32855->32943 32858 176e59 32861 172310 56 API calls 32858->32861 32859 172e60 42 API calls 32862 176bf5 32859->32862 32864 176e68 32861->32864 32949 171770 32862->32949 32863->32858 33044 174ac0 42 API calls 3 library calls 32863->33044 32874 1746f0 52 API calls 32864->32874 32864->32891 32866 176cad 32867 172310 56 API calls 32866->32867 32871 176cc7 32867->32871 32870 176c7c 32870->32866 32870->32870 33041 174ac0 42 API calls 3 library calls 32870->33041 32876 1746f0 52 API calls 32871->32876 32871->32891 32872 176c16 FindCloseChangeNotification 32872->32832 32878 176e8a 32874->32878 32875 176eb9 32877 172310 56 API calls 32875->32877 32883 176ce9 32876->32883 32879 176ec4 32877->32879 32878->32875 33045 174ac0 42 API calls 3 library calls 32878->33045 32886 1746f0 52 API calls 32879->32886 32879->32891 32880 176d19 32881 172310 56 API calls 32880->32881 32884 176d24 32881->32884 32883->32880 32883->32883 33042 174ac0 42 API calls 3 library calls 32883->33042 32888 1746f0 52 API calls 32884->32888 32884->32891 32890 176ee6 32886->32890 32887 176f10 33047 1752f0 32887->33047 32895 176d46 32888->32895 32890->32887 33046 174ac0 42 API calls 3 library calls 32890->33046 33094 1711d0 RaiseException Concurrency::cancel_current_task 32891->33094 32892 176d70 32995 174ba0 32892->32995 32895->32892 33043 174ac0 42 API calls 3 library calls 32895->33043 32897->32730 32898->32737 32899->32732 32901 19293f 32900->32901 32902 192940 IsProcessorFeaturePresent 32900->32902 32901->32814 32904 1929a5 32902->32904 32907 192968 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32904->32907 32906 192a88 32906->32814 32907->32906 32908->32821 33095 175e40 GetTokenInformation 32909->33095 32913 175fd2 32912->32913 32914 175fac 32912->32914 32915 1724c0 47 API calls 32913->32915 32917 1724c0 47 API calls 32914->32917 32916 175fc9 32915->32916 32918 175ff5 LocalFree 32916->32918 32919 176003 32916->32919 32917->32916 32918->32919 32920 1724c0 32919->32920 32924 1724fd 32920->32924 32926 1724d1 _LStrxfrm 32920->32926 32921 1725f5 33106 172770 42 API calls 32921->33106 32922 172515 32927 1725f0 32922->32927 32928 172566 LocalAlloc 32922->32928 32924->32921 32924->32922 32924->32927 32930 172582 32924->32930 32925 1725fa 33107 197027 41 API calls 2 library calls 32925->33107 32926->32855 33105 172d70 RaiseException Concurrency::cancel_current_task 32927->33105 32928->32925 32932 172577 32928->32932 32934 172586 LocalAlloc 32930->32934 32935 172593 _LStrxfrm 32930->32935 32932->32935 32934->32935 32935->32925 32940 1725e5 32935->32940 32941 1725d8 32935->32941 32940->32855 32941->32940 32942 1725de LocalFree 32941->32942 32942->32940 32944 172eb7 32943->32944 32945 172e8d 32943->32945 32944->32859 32945->32943 32946 172eaa 32945->32946 33108 197027 41 API calls 2 library calls 32945->33108 32946->32944 32947 172eb0 LocalFree 32946->32947 32947->32944 32950 17179b 32949->32950 32954 1717c1 32949->32954 32951 1717ba LocalFree 32950->32951 32952 1717e5 32950->32952 32953 1717b4 32950->32953 32951->32954 33109 197027 41 API calls 2 library calls 32952->33109 32953->32951 32953->32954 32954->32832 32954->32872 32958 1757e7 GetTokenInformation 32957->32958 32959 1757e1 32957->32959 32960 175816 32958->32960 32961 17581e CloseHandle 32958->32961 32959->32838 32960->32961 32961->32838 32963 17239c 32962->32963 32964 172348 32962->32964 32976 172427 32963->32976 33113 192c98 6 API calls 32963->33113 33110 192c98 6 API calls 32964->33110 32966 172352 32966->32963 32968 17235e GetProcessHeap 32966->32968 33111 192faa 44 API calls 32968->33111 32970 1723b6 32970->32976 33114 192faa 44 API calls 32970->33114 32971 17238b 33112 192c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32971->33112 32974 172416 33115 192c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 32974->33115 32976->32891 32977 1746f0 32976->32977 32978 174700 32977->32978 32979 174766 32977->32979 32978->32979 33116 17d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32978->33116 32979->32870 32981 174730 FindResourceExW 32982 17471a 32981->32982 32982->32979 32982->32981 32985 174771 32982->32985 33117 1745b0 LoadResource LockResource SizeofResource 32982->33117 33118 17d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 32982->33118 32985->32979 32986 174775 FindResourceW 32985->32986 32986->32979 32987 174783 32986->32987 33119 1745b0 LoadResource LockResource SizeofResource 32987->33119 32989 174790 32989->32979 33120 197383 41 API calls 3 library calls 32989->33120 32991 1747d1 32992 1747e2 32991->32992 33121 1711d0 RaiseException Concurrency::cancel_current_task 32991->33121 32992->32870 32996 1757c0 4 API calls 32995->32996 32997 174bed 32996->32997 32998 174c15 CoInitialize CoCreateInstance 32997->32998 32999 174bf3 32997->32999 33001 174c4f 32998->33001 33002 174c58 VariantInit 32998->33002 33000 1752f0 89 API calls 32999->33000 33003 174c0d 33000->33003 33001->33003 33005 175187 CoUninitialize 33001->33005 33004 174c9e 33002->33004 33006 192937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33003->33006 33007 174cb1 IUnknown_QueryService 33004->33007 33012 174ca8 VariantClear 33004->33012 33005->33003 33008 1751a7 33006->33008 33010 174ce0 33007->33010 33007->33012 33008->32891 33011 174d31 IUnknown_QueryInterface_Proxy 33010->33011 33010->33012 33011->33012 33013 174d5a 33011->33013 33012->33001 33013->33012 33014 174d7f IUnknown_QueryInterface_Proxy 33013->33014 33014->33012 33015 174da8 CoAllowSetForegroundWindow 33014->33015 33016 174dc2 SysAllocString 33015->33016 33017 174e28 SysAllocString 33015->33017 33020 174def 33016->33020 33021 174df8 SysAllocString 33016->33021 33017->33016 33019 1751b0 _com_issue_error 33017->33019 33126 1711d0 RaiseException Concurrency::cancel_current_task 33019->33126 33020->33019 33020->33021 33023 174e3d VariantInit 33021->33023 33024 174e1d 33021->33024 33028 174ebd 33023->33028 33024->33019 33024->33023 33026 174ec1 VariantClear VariantClear VariantClear VariantClear SysFreeString 33026->33012 33028->33026 33036 174f1b 33028->33036 33029 1724c0 47 API calls 33029->33036 33032 172e60 42 API calls 33032->33036 33033 174fd5 OpenProcess WaitForSingleObject 33035 17500b GetExitCodeProcess 33033->33035 33033->33036 33035->33036 33036->33026 33036->33028 33036->33029 33036->33032 33036->33033 33037 175025 CloseHandle 33036->33037 33038 1751ab 33036->33038 33039 17506e LocalFree 33036->33039 33122 1712f0 49 API calls 2 library calls 33036->33122 33123 173860 99 API calls 2 library calls 33036->33123 33124 174270 10 API calls 33036->33124 33037->33036 33125 197027 41 API calls 2 library calls 33038->33125 33039->33036 33041->32866 33042->32880 33043->32892 33044->32858 33045->32875 33046->32887 33048 175361 33047->33048 33127 175d30 33048->33127 33050 17537b 33051 175d30 41 API calls 33050->33051 33052 17538b 33051->33052 33131 1759c0 33052->33131 33054 1757b0 33150 1711d0 RaiseException Concurrency::cancel_current_task 33054->33150 33056 17539b 33056->33054 33139 197852 33056->33139 33060 1753e1 33061 175d30 41 API calls 33060->33061 33074 1753f5 33061->33074 33062 1754cc 33063 17551d GetForegroundWindow 33062->33063 33083 175529 33062->33083 33063->33083 33064 1755f7 ShellExecuteExW 33065 175612 33064->33065 33066 175609 33064->33066 33067 175646 33065->33067 33070 175625 ShellExecuteExW 33065->33070 33148 175890 6 API calls 33066->33148 33077 1756fd 33067->33077 33078 17566c GetModuleHandleW GetProcAddress 33067->33078 33068 175493 GetWindowsDirectoryW 33146 175b10 70 API calls 33068->33146 33070->33067 33072 17563d 33070->33072 33149 175890 6 API calls 33072->33149 33073 1754b4 33147 175b10 70 API calls 33073->33147 33074->33062 33074->33068 33079 175721 33077->33079 33080 17570e WaitForSingleObject GetExitCodeProcess 33077->33080 33082 17568a AllowSetForegroundWindow 33078->33082 33142 175940 33079->33142 33080->33079 33082->33077 33084 175698 33082->33084 33083->33064 33084->33077 33085 1756a1 GetModuleHandleW GetProcAddress 33084->33085 33086 1756b4 33085->33086 33087 1756fa 33085->33087 33091 1756ed 33086->33091 33092 1756c8 Sleep EnumWindows 33086->33092 33087->33077 33089 192937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33090 1757a8 33089->33090 33090->32891 33091->33087 33093 1756f3 BringWindowToTop 33091->33093 33092->33086 33092->33091 33219 175830 GetWindowThreadProcessId GetWindowLongW 33092->33219 33093->33087 33096 175e18 33095->33096 33097 175ebe GetLastError 33095->33097 33096->32836 33096->32837 33097->33096 33098 175ec9 33097->33098 33099 175f0e GetTokenInformation 33098->33099 33100 175ee9 33098->33100 33102 175ed9 ctype 33098->33102 33099->33096 33104 1760d0 45 API calls 3 library calls 33100->33104 33102->33099 33103 175ef2 33103->33099 33104->33103 33110->32966 33111->32971 33112->32963 33113->32970 33114->32974 33115->32976 33116->32982 33117->32982 33118->32982 33119->32989 33120->32991 33122->33036 33123->33036 33124->33036 33128 175d6e 33127->33128 33130 175d7d 33128->33130 33151 174a10 41 API calls 4 library calls 33128->33151 33130->33050 33132 175a03 33131->33132 33133 1759f8 33131->33133 33136 172310 56 API calls 33132->33136 33137 175a1a 33132->33137 33134 175d30 41 API calls 33133->33134 33135 175a01 33134->33135 33135->33056 33136->33137 33152 175a60 42 API calls 33137->33152 33153 197869 33139->33153 33143 175971 33142->33143 33145 17572d 33142->33145 33144 175981 CloseHandle 33143->33144 33143->33145 33144->33145 33145->33089 33146->33073 33147->33062 33148->33065 33149->33067 33151->33130 33152->33135 33158 197078 33153->33158 33159 19708f 33158->33159 33160 197096 33158->33160 33166 1976d9 33159->33166 33160->33159 33203 1a57cc 41 API calls 3 library calls 33160->33203 33162 1970b7 33204 1a5ab7 41 API calls __Getcoll 33162->33204 33164 1970cd 33205 1a5b15 41 API calls __cftoe 33164->33205 33167 197709 ___crtLCMapStringW 33166->33167 33168 1976f3 33166->33168 33167->33168 33170 197720 33167->33170 33206 197370 14 API calls std::_Stodx_v2 33168->33206 33190 197702 33170->33190 33208 1a5c2a 6 API calls 2 library calls 33170->33208 33173 19776e 33175 197778 33173->33175 33176 19778f 33173->33176 33174 192937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33179 1753d3 33174->33179 33209 197370 14 API calls std::_Stodx_v2 33175->33209 33177 1977a5 33176->33177 33178 197794 33176->33178 33182 197826 33177->33182 33185 1977cc 33177->33185 33193 1977b9 __alloca_probe_16 33177->33193 33211 197370 14 API calls std::_Stodx_v2 33178->33211 33179->33054 33179->33060 33216 197370 14 API calls std::_Stodx_v2 33182->33216 33183 19777d 33210 197370 14 API calls std::_Stodx_v2 33183->33210 33184 1976f8 33207 197017 41 API calls collate 33184->33207 33212 1a5bdc 15 API calls 2 library calls 33185->33212 33188 19782b 33217 197370 14 API calls std::_Stodx_v2 33188->33217 33190->33174 33192 1977d2 33192->33182 33192->33193 33193->33182 33196 1977e6 33193->33196 33194 197813 33218 192326 14 API calls ___std_exception_destroy 33194->33218 33213 1a5c2a 6 API calls 2 library calls 33196->33213 33198 197802 33199 197809 33198->33199 33200 19781a 33198->33200 33214 19b762 41 API calls 2 library calls 33199->33214 33215 197370 14 API calls std::_Stodx_v2 33200->33215 33203->33162 33204->33164 33205->33159 33206->33184 33207->33190 33208->33173 33209->33183 33210->33190 33211->33184 33212->33192 33213->33198 33214->33194 33215->33194 33216->33188 33217->33194 33218->33190

                                        Executed Functions

                                        Function 00176A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 105 176a50-176a82 106 176a84-176aa2 call 192937 105->106 107 176aa3-176add GetCurrentProcess OpenProcessToken 105->107 111 176adf-176af2 107->111 112 176b09-176b1e call 175de0 107->112 113 176af4-176afb CloseHandle 111->113 114 176b02-176b04 111->114 119 176b20-176b2c call 171770 112->119 120 176b2e-176b30 112->120 113->114 116 176c24-176c2b call 1757c0 114->116 125 176c31-176c35 116->125 126 176ddb-176e06 call 172310 116->126 119->111 123 176b32-176b3d call 171770 120->123 124 176b3f-176ba5 call 175f40 call 1724c0 120->124 123->111 141 176ba7-176ba9 124->141 142 176bdb 124->142 125->126 130 176c3b-176c3d 125->130 139 176f96-176fa0 call 1711d0 126->139 140 176e0c-176e2b call 1746f0 126->140 130->126 134 176c43-176c59 call 172310 130->134 134->139 149 176c5f-176c7e call 1746f0 134->149 158 176e2d-176e2f 140->158 159 176e59-176e6a call 172310 140->159 146 176baf-176bb8 141->146 147 176c88-176c8a 141->147 148 176bdd-176c14 call 172e60 * 2 call 171770 142->148 146->142 152 176bba-176bbc 146->152 147->148 148->116 184 176c16-176c1d FindCloseChangeNotification 148->184 173 176c80-176c82 149->173 174 176cad-176cc9 call 172310 149->174 155 176bbf 152->155 155->142 160 176bc1-176bc4 155->160 163 176e35-176e3a 158->163 164 176e31-176e33 158->164 159->139 178 176e70-176e8c call 1746f0 159->178 160->147 165 176bca-176bd9 160->165 170 176e40-176e49 163->170 169 176e4f-176e54 call 174ac0 164->169 165->142 165->155 169->159 170->170 176 176e4b-176e4d 170->176 180 176c84-176c86 173->180 181 176c8f-176c91 173->181 174->139 189 176ccf-176ceb call 1746f0 174->189 176->169 193 176e8e-176e90 178->193 194 176eb9-176ec6 call 172310 178->194 185 176ca3-176ca8 call 174ac0 180->185 182 176c94-176c9d 181->182 182->182 187 176c9f-176ca1 182->187 184->116 185->174 187->185 203 176ced-176cef 189->203 204 176d19-176d26 call 172310 189->204 196 176e96-176e9b 193->196 197 176e92-176e94 193->197 194->139 208 176ecc-176ee8 call 1746f0 194->208 201 176ea0-176ea9 196->201 200 176eaf-176eb4 call 174ac0 197->200 200->194 201->201 206 176eab-176ead 201->206 209 176cf5-176cfa 203->209 210 176cf1-176cf3 203->210 204->139 216 176d2c-176d48 call 1746f0 204->216 206->200 221 176f10-176f47 call 1752f0 208->221 222 176eea-176eec 208->222 211 176d00-176d09 209->211 213 176d0f-176d14 call 174ac0 210->213 211->211 214 176d0b-176d0d 211->214 213->204 214->213 231 176d70-176d85 call 174ba0 216->231 232 176d4a-176d4c 216->232 236 176f51-176f65 221->236 237 176f49-176f4c 221->237 224 176ef2-176ef4 222->224 225 176eee-176ef0 222->225 229 176ef7-176f00 224->229 228 176f06-176f0b call 174ac0 225->228 228->221 229->229 234 176f02-176f04 229->234 240 176d8a-176da4 231->240 238 176d52-176d54 232->238 239 176d4e-176d50 232->239 234->228 242 176f67-176f6a 236->242 243 176f6f-176f76 236->243 237->236 244 176d57-176d60 238->244 241 176d66-176d6b call 174ac0 239->241 248 176da6-176da9 240->248 249 176dae-176dc2 240->249 241->231 242->243 247 176f79-176f84 243->247 244->244 245 176d62-176d64 244->245 245->241 250 176f86-176f89 247->250 251 176f8e 247->251 248->249 252 176dc4-176dc7 249->252 253 176dcc-176dd6 249->253 250->251 251->139 252->253 253->247
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00176AC8
                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00176AD5
                                        • CloseHandle.KERNEL32(00000000), ref: 00176AF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Process$CloseCurrentHandleOpenToken
                                        • String ID: S-1-5-18
                                        • API String ID: 4052875653-4289277601
                                        • Opcode ID: 1e1a0ead959cda7fc8605c065e9aabd9a4e3497870ea387306ff18d8db88b0d3
                                        • Instruction ID: 3cc43700cc189e77af617a6e190e3cd032a0b5ddf3903e0a3e7aca7c1103e215
                                        • Opcode Fuzzy Hash: 1e1a0ead959cda7fc8605c065e9aabd9a4e3497870ea387306ff18d8db88b0d3
                                        • Instruction Fuzzy Hash: DE02D270900649DFDF14DFA4C954BEEBBB5EF55314F18C258E84AAB285EB30AE05CB90
                                        Function 00174BA0 Relevance: 36.5, APIs: 24, Instructions: 502comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 174ba0-174bf1 call 1757c0 3 174c15-174c4d CoInitialize CoCreateInstance 0->3 4 174bf3-174c10 call 1752f0 0->4 6 174c4f-174c53 3->6 7 174c58-174ca6 VariantInit 3->7 12 175190-1751aa call 192937 4->12 9 175169-175172 6->9 17 174cb1-174cd5 IUnknown_QueryService 7->17 18 174ca8-174cac 7->18 10 175174-175176 9->10 11 17517a-175185 9->11 10->11 14 175187 CoUninitialize 11->14 15 17518d 11->15 14->15 15->12 21 174cd7-174cdb 17->21 22 174ce0-174cfa 17->22 20 17514b-175154 18->20 24 175156-175158 20->24 25 17515c-175167 VariantClear 20->25 23 17513a-175143 21->23 28 174d05-174d26 22->28 29 174cfc-174d00 22->29 23->20 26 175145-175147 23->26 24->25 25->9 26->20 33 174d31-174d4f IUnknown_QueryInterface_Proxy 28->33 34 174d28-174d2c 28->34 30 175129-175132 29->30 30->23 32 175134-175136 30->32 32->23 36 174d51-174d55 33->36 37 174d5a-174d74 33->37 35 175118-175121 34->35 35->30 38 175123-175125 35->38 39 175107-175110 36->39 42 174d76-174d7a 37->42 43 174d7f-174d9d IUnknown_QueryInterface_Proxy 37->43 38->30 39->35 40 175112-175114 39->40 40->35 44 1750f6-1750ff 42->44 45 174d9f-174da3 43->45 46 174da8-174dc0 CoAllowSetForegroundWindow 43->46 44->39 50 175101-175103 44->50 47 1750e5-1750ee 45->47 48 174dc2-174dc4 46->48 49 174e28-174e35 SysAllocString 46->49 47->44 51 1750f0-1750f2 47->51 52 174dca-174ded SysAllocString 48->52 53 174e3b 49->53 54 1751ba-175201 call 1711d0 49->54 50->39 51->44 55 174def-174df2 52->55 56 174df8-174e1b SysAllocString 52->56 53->52 64 175203-175205 54->64 65 175209-175217 54->65 55->56 58 1751b0-1751b5 call 17cf40 55->58 59 174e3d-174ebf VariantInit 56->59 60 174e1d-174e20 56->60 58->54 67 174ec1-174ec5 59->67 68 174eca-174ece 59->68 60->58 63 174e26 60->63 63->59 64->65 69 1750a0-1750df VariantClear * 4 SysFreeString 67->69 70 174ed4 68->70 71 17509c 68->71 69->47 72 174ed6-174f0c 70->72 71->69 73 174f10-174f19 72->73 73->73 74 174f1b-174fa2 call 1724c0 call 1712f0 call 173860 call 172e60 * 2 73->74 85 174fa4-174fa8 74->85 86 174faa 74->86 87 174fb1-174fb3 85->87 86->87 88 175036-175046 87->88 89 174fb9-174fc3 87->89 92 17508d-175096 88->92 93 175048-175057 88->93 90 174fd5-175009 OpenProcess WaitForSingleObject 89->90 91 174fc5-174fd3 call 174270 89->91 95 175013-175023 90->95 96 17500b-17500d GetExitCodeProcess 90->96 91->90 92->71 92->72 97 17506a-17506c 93->97 98 175059-175064 93->98 95->88 100 175025-17502c CloseHandle 95->100 96->95 102 175075-175086 97->102 103 17506e-17506f LocalFree 97->103 98->97 101 1751ab call 197027 98->101 100->88 101->58 102->92 103->102
                                        APIs
                                          • Part of subcall function 001757C0: GetCurrentProcess.KERNEL32(00000008,?,E71D449C,?,-00000010), ref: 001757D0
                                          • Part of subcall function 001757C0: OpenProcessToken.ADVAPI32(00000000), ref: 001757D7
                                        • CoInitialize.OLE32(00000000), ref: 00174C15
                                        • CoCreateInstance.OLE32(001B72B0,00000000,00000004,001C5104,00000000,?), ref: 00174C45
                                        • CoUninitialize.OLE32 ref: 00175187
                                        • _com_issue_error.COMSUPP ref: 001751B5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
                                        • String ID:
                                        • API String ID: 928366108-0
                                        • Opcode ID: c2a44355fa2369b8f6c237f8c632dda4e24319fb3d8fd0e6f7e25fb45ac8b2be
                                        • Instruction ID: 8ffd305e64f3dcc4a5c5d917415a6604f3502efd688ffa0173f27870b394f9ba
                                        • Opcode Fuzzy Hash: c2a44355fa2369b8f6c237f8c632dda4e24319fb3d8fd0e6f7e25fb45ac8b2be
                                        • Instruction Fuzzy Hash: B422A070E04388DFEF11CFA8C948BADBBB5AF55304F24819DE409EB281D7B59A45CB61
                                        Function 001757C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 254 1757c0-1757df GetCurrentProcess OpenProcessToken 255 1757e7-175814 GetTokenInformation 254->255 256 1757e1-1757e6 254->256 257 175816-17581b 255->257 258 17581e-17582e CloseHandle 255->258 257->258
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000008,?,E71D449C,?,-00000010), ref: 001757D0
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 001757D7
                                        • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0017580C
                                        • CloseHandle.KERNEL32(?), ref: 00175822
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                        • String ID:
                                        • API String ID: 215268677-0
                                        • Opcode ID: fe83f8431bcfa3f9feb34e1c7bdb5d81cf5ad9fd0d68631b012da42a1d481eea
                                        • Instruction ID: 2e78fc5347aa9aae70246f8346c6ba28487e8204080f37ac4530c5fbb82d6e4e
                                        • Opcode Fuzzy Hash: fe83f8431bcfa3f9feb34e1c7bdb5d81cf5ad9fd0d68631b012da42a1d481eea
                                        • Instruction Fuzzy Hash: 1CF03074148301AFEB10AF20EC49BAA7BE8FB85700F90891EFD84C21A0D379955CDB63
                                        Function 0017CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCommandLineW.KERNEL32(E71D449C,?,?,?,?,?,?,?,?,?,001B56D5,000000FF), ref: 0017CDE8
                                          • Part of subcall function 00171F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00174251,E71D449C,00000000,?,00000000,?,?,?,001B4400,000000FF,?), ref: 00171F9D
                                        • ExitProcess.KERNEL32 ref: 0017CEB1
                                          • Part of subcall function 00176600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0017667E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: AllocCommandCreateExitFileLineLocalProcess
                                        • String ID: Full command line:
                                        • API String ID: 1878577176-831861440
                                        • Opcode ID: 5c529e867f6d16f57c0b8a606b26cb5327735a6e122a9c90eec0bf601c3ffb3c
                                        • Instruction ID: 00bafc5f8999e9fdcca74ec636b6eea48a8a8ca8a86f31465426bdf8dd34a537
                                        • Opcode Fuzzy Hash: 5c529e867f6d16f57c0b8a606b26cb5327735a6e122a9c90eec0bf601c3ffb3c
                                        • Instruction Fuzzy Hash: 9521BC71910214ABCB15FB74CC46BAE77B5AF64740F148129F40AAB2D2EF346B08C7D2
                                        Function 00175E40 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 291 175e40-175ebc GetTokenInformation 292 175f20-175f33 291->292 293 175ebe-175ec7 GetLastError 291->293 293->292 294 175ec9-175ed7 293->294 295 175ede 294->295 296 175ed9-175edc 294->296 298 175ee0-175ee7 295->298 299 175f0e-175f1a GetTokenInformation 295->299 297 175f0b 296->297 297->299 300 175ef7-175f08 call 194080 298->300 301 175ee9-175ef5 call 1760d0 298->301 299->292 300->297 301->299
                                        APIs
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00175E18,E71D449C,?), ref: 00175EB4
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00175E18,E71D449C,?), ref: 00175EBE
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00175E18,E71D449C,?), ref: 00175F1A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: InformationToken$ErrorLast
                                        • String ID:
                                        • API String ID: 2567405617-0
                                        • Opcode ID: f5be310a2895dbc0452d796a326be0164c5d52708a2417d4c153bafa3a9bbb2f
                                        • Instruction ID: 7a6273e8e4bc456afc4c24acfa7958bb3366838fb277cd11871c47578e3d9b73
                                        • Opcode Fuzzy Hash: f5be310a2895dbc0452d796a326be0164c5d52708a2417d4c153bafa3a9bbb2f
                                        • Instruction Fuzzy Hash: C1318F71A00609AFDB14CF99CC45BAFFBF9FB44710F10852EF419A7680DBB1A9408BA0
                                        Function 001A70BB Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 306 1a70bb-1a70c6 307 1a70c8-1a70d2 306->307 308 1a70d4-1a70da 306->308 307->308 309 1a7108-1a7113 call 197370 307->309 310 1a70dc-1a70dd 308->310 311 1a70f3-1a7104 RtlAllocateHeap 308->311 316 1a7115-1a7117 309->316 310->311 312 1a70df-1a70e6 call 1a5245 311->312 313 1a7106 311->313 312->309 319 1a70e8-1a70f1 call 1abf83 312->319 313->316 319->309 319->311
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,001A596A,00000001,00000364,?,00000006,000000FF,?,00196CE7,00000000,001A3841,00000000), ref: 001A70FC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 2c18f74d0bf3d6dd90e85cf63a2f30dd9e4c8dcc3d1a8316e8306ebc47c06f81
                                        • Instruction ID: cb301121309410dc1297248dcabc87a0d89ef6189183da42d1e86c6ce7f52472
                                        • Opcode Fuzzy Hash: 2c18f74d0bf3d6dd90e85cf63a2f30dd9e4c8dcc3d1a8316e8306ebc47c06f81
                                        • Instruction Fuzzy Hash: D9F0E23930C2206A9F276B629D01B6F7B9DEF637B0B154122BC149A5D1CB20EE0186E1

                                        Non-executed Functions

                                        Function 0017C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0017CBB6
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,001CE6D0,00000800), ref: 0017CBD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: OpenQueryValue
                                        • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
                                        • API String ID: 4153817207-482544602
                                        • Opcode ID: c593409334ba88da183828978103b41d6c9ed46df0ca6351aef3ffff7f77a874
                                        • Instruction ID: ca98c3cdea71474153a37559289f2705c5015324b525614877280b88ab553f39
                                        • Opcode Fuzzy Hash: c593409334ba88da183828978103b41d6c9ed46df0ca6351aef3ffff7f77a874
                                        • Instruction Fuzzy Hash: 66C1D2356042168ACB359F14D80177AB3F2EFA4744F69C45EE88E9B291EB70DE82C7D1
                                        Function 001AE5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,001AE8D1,00000002,00000000,?,?,?,001AE8D1,?,00000000), ref: 001AE64C
                                        • GetLocaleInfoW.KERNEL32(?,20001004,001AE8D1,00000002,00000000,?,?,?,001AE8D1,?,00000000), ref: 001AE675
                                        • GetACP.KERNEL32(?,?,001AE8D1,?,00000000), ref: 001AE68A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: a3ad4ee1ad28cecaa20157b2c9cd140b7676a59f300a8e4c5a88a3a23d3658fd
                                        • Instruction ID: 296101041288aa76bbcf90e8bee41cb0e9eb43007838c1d95b571d7a6745b782
                                        • Opcode Fuzzy Hash: a3ad4ee1ad28cecaa20157b2c9cd140b7676a59f300a8e4c5a88a3a23d3658fd
                                        • Instruction Fuzzy Hash: 0921B03AB00101AADB38CF58C914AD777E6AB76F64F568864E90ED7110F732DD40C750
                                        Function 00179CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: _swprintf$FreeLocal
                                        • String ID:
                                        • API String ID: 2429749586-0
                                        • Opcode ID: 8577a308a96a5c69782b4f607470ed48c993979cd57c4e3427cc4f76348a5e3e
                                        • Instruction ID: aa6356e315b5fdf627d2d5b8d9b7864ccf32547cd2b2cd7794a3ea069fea2769
                                        • Opcode Fuzzy Hash: 8577a308a96a5c69782b4f607470ed48c993979cd57c4e3427cc4f76348a5e3e
                                        • Instruction Fuzzy Hash: FCF1AC71D00219AFDF28DFA8DC40BAEBBB5FF49300F148629F915A7281D735A945CBA1
                                        Function 001AE788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 001A57CC: GetLastError.KERNEL32(?,00000008,001AAD4C), ref: 001A57D0
                                          • Part of subcall function 001A57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001A5872
                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001AE894
                                        • IsValidCodePage.KERNEL32(00000000), ref: 001AE8DD
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 001AE8EC
                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001AE934
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001AE953
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                        • String ID:
                                        • API String ID: 415426439-0
                                        • Opcode ID: 19419d3c912eed6729d7d6263da50807123331dfe1533ab68b5ad112e456c5e8
                                        • Instruction ID: e01cf204c704c8a5b67527be3f3829bcd5faafe464dcfd1610a1b66de2f56fec
                                        • Opcode Fuzzy Hash: 19419d3c912eed6729d7d6263da50807123331dfe1533ab68b5ad112e456c5e8
                                        • Instruction Fuzzy Hash: CC517D79A00215AFEF20DFA5DC45ABE77F8EF5A700F154069E910E7191EB74DA40CBA0
                                        Function 001A5D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: _strrchr
                                        • String ID:
                                        • API String ID: 3213747228-0
                                        • Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                        • Instruction ID: 4a32bb08d7ae8cb654044869a5b1959b882391ab77a8e40feadd4a046477264a
                                        • Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                        • Instruction Fuzzy Hash: 26B1577A9086459FDB15CF68C881BFEBBB6EF56300F19816AE904EB341D3349D41CBA0
                                        Function 001AB02D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 001AB0C8
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 001AB143
                                        • FindClose.KERNEL32(00000000), ref: 001AB165
                                        • FindClose.KERNEL32(00000000), ref: 001AB188
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID:
                                        • API String ID: 1164774033-0
                                        • Opcode ID: adaa934ff59e401f7b3a8cfb42f1e609eacf973f1765c9ddc876eb579561fc26
                                        • Instruction ID: 4837908415b621f35bae670bbeb02074997a07fc755b92b2af572272582bb982
                                        • Opcode Fuzzy Hash: adaa934ff59e401f7b3a8cfb42f1e609eacf973f1765c9ddc876eb579561fc26
                                        • Instruction Fuzzy Hash: 5741C375A04669AEDB20EFA8DDD9ABBB7B8EF86304F004195F405D7181E7309E80CB60
                                        Function 001933A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001933B4
                                        • IsDebuggerPresent.KERNEL32 ref: 00193480
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001934A0
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 001934AA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID:
                                        • API String ID: 254469556-0
                                        • Opcode ID: 4bbd29a418ca6c7356455c998d2ba0c3025577794feaa1b546ef3b1d485686ba
                                        • Instruction ID: 1a84aac761462cde4310ecd2906a3d05be2b00b6b2d53377900231c2c609eb53
                                        • Opcode Fuzzy Hash: 4bbd29a418ca6c7356455c998d2ba0c3025577794feaa1b546ef3b1d485686ba
                                        • Instruction Fuzzy Hash: FF314775D053189BEF11DFA4D989BCCBBB8AF08304F1041AAE50CAB290EB719B85CF45
                                        Function 001752F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402libraryloadersleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 477 1752f0-1753a8 call 1763a0 call 175d30 * 2 call 1759c0 486 1757b0-1757ba call 1711d0 477->486 487 1753ae-1753bd 477->487 488 1753bf-1753c7 call 1749a0 487->488 489 1753c9-1753db call 197852 487->489 488->489 489->486 496 1753e1-17540a call 175d30 489->496 499 175414-175419 496->499 500 17540c-17540f 496->500 501 1754cf-17551b 499->501 502 17541f-175429 499->502 500->499 504 17551d-175526 GetForegroundWindow 501->504 505 175529-17552b 501->505 503 175430-175436 502->503 506 175456-175458 503->506 507 175438-17543b 503->507 504->505 508 1755f7-175607 ShellExecuteExW 505->508 509 175531-175535 505->509 512 17545b-17545d 506->512 510 175452-175454 507->510 511 17543d-175445 507->511 515 175614-175616 508->515 516 175609-175612 call 175890 508->516 513 175537-17553e 509->513 514 175540-17554c 509->514 510->512 511->506 519 175447-175450 511->519 520 175493-1754cc GetWindowsDirectoryW call 175b10 * 2 512->520 521 17545f 512->521 513->513 513->514 522 175550-17555d 514->522 517 175646-175666 call 175b30 515->517 518 175618-17561e 515->518 516->515 541 1756fd-175702 517->541 542 17566c-175696 GetModuleHandleW GetProcAddress AllowSetForegroundWindow 517->542 524 175625-17563b ShellExecuteExW 518->524 525 175620-175623 518->525 519->503 519->510 520->501 528 175464-17546a 521->528 522->522 529 17555f-17556b 522->529 524->517 532 17563d-175641 call 175890 524->532 525->517 525->524 535 17546c-17546f 528->535 536 17548a-17548c 528->536 531 175570-17557d 529->531 531->531 537 17557f-1755f5 call 1764a0 * 5 531->537 532->517 543 175486-175488 535->543 544 175471-175479 535->544 538 17548f-175491 536->538 537->508 538->501 538->520 547 175704-17570c 541->547 548 175721-175744 call 175940 541->548 542->541 556 175698-17569f 542->556 543->538 544->536 549 17547b-175484 544->549 547->548 551 17570e-17571b WaitForSingleObject GetExitCodeProcess 547->551 558 175746-175749 548->558 559 17574e-175762 548->559 549->528 549->543 551->548 556->541 560 1756a1-1756b2 GetModuleHandleW GetProcAddress 556->560 558->559 561 175764-175767 559->561 562 17576c-175781 559->562 564 1756b4-1756c1 560->564 565 1756fa 560->565 561->562 566 175783-175786 562->566 567 17578b-1757af call 192937 562->567 572 1756c3-1756c6 564->572 565->541 566->567 575 1756ef-1756f1 572->575 576 1756c8-1756eb Sleep EnumWindows 572->576 575->565 579 1756f3-1756f4 BringWindowToTop 575->579 576->572 578 1756ed 576->578 578->579 579->565
                                        APIs
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 0017549C
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 0017551D
                                        • ShellExecuteExW.SHELL32(?), ref: 00175601
                                        • ShellExecuteExW.SHELL32(?), ref: 00175637
                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 0017567C
                                        • GetProcAddress.KERNEL32(00000000), ref: 00175685
                                        • AllowSetForegroundWindow.USER32(00000000), ref: 0017568B
                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 001756AB
                                        • GetProcAddress.KERNEL32(00000000), ref: 001756AE
                                        • Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 001756CA
                                        • EnumWindows.USER32(00175830,?), ref: 001756DF
                                        • BringWindowToTop.USER32(00000000), ref: 001756F4
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00175711
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 0017571B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
                                        • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
                                        • API String ID: 697762045-2796270252
                                        • Opcode ID: 185bb73bb97b9bdd37ac0c6068d31723b7f8a6d716c601a49e1c13cd108aca8c
                                        • Instruction ID: aae1a52af259b504e03ba62df402e81bed7ed41e18f2c754cc095cdf87087a7a
                                        • Opcode Fuzzy Hash: 185bb73bb97b9bdd37ac0c6068d31723b7f8a6d716c601a49e1c13cd108aca8c
                                        • Instruction Fuzzy Hash: FCE1C171A00A099BCF14DFA8C844BAEB7F6EF68714F54816DE819EB291E770AD41CB50
                                        Function 00176600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0017667E
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 001766D7
                                        • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 001766E2
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 001766FE
                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,001B49E5,000000FF), ref: 001767DB
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,001B49E5,000000FF), ref: 001767E7
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,001B49E5), ref: 0017682F
                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,001B49E5,000000FF), ref: 0017684A
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,001B49E5), ref: 00176867
                                        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,001B49E5,000000FF), ref: 00176891
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 001768D8
                                        • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0017692A
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,001B49E5,000000FF), ref: 0017695C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                        • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                        • API String ID: 2199533872-3004881174
                                        • Opcode ID: 44406b3aa35d51db172a7af2c5f731475b0b77691f74c1945ffdcb441839d9fc
                                        • Instruction ID: 4df5c687906c0fc277752f51f1dbd2251a8e0d90a07691e367e9e863a5c40573
                                        • Opcode Fuzzy Hash: 44406b3aa35d51db172a7af2c5f731475b0b77691f74c1945ffdcb441839d9fc
                                        • Instruction Fuzzy Hash: A0B14671904649AFEB20DF68CC86BEFBBB5EF55700F148129F508AB2C1D7709A48C7A1
                                        Function 00192B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(001CDD3C,00000FA0,?,?,00192B6A), ref: 00192B98
                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00192B6A), ref: 00192BA3
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00192B6A), ref: 00192BB4
                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00192BC6
                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00192BD4
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00192B6A), ref: 00192BF7
                                        • DeleteCriticalSection.KERNEL32(001CDD3C,00000007,?,?,00192B6A), ref: 00192C13
                                        • CloseHandle.KERNEL32(00000000,?,?,00192B6A), ref: 00192C23
                                        Strings
                                        • SleepConditionVariableCS, xrefs: 00192BC0
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00192B9E
                                        • kernel32.dll, xrefs: 00192BAF
                                        • WakeAllConditionVariable, xrefs: 00192BCC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 2565136772-3242537097
                                        • Opcode ID: 54a6bc3e69818335784546a1dd38cbb5367e21abbb2e5a220219657e04bed689
                                        • Instruction ID: 04904a7ecee81ea7480da3a0e9df877b5783f68aae970ca24dbdea16222ecacc
                                        • Opcode Fuzzy Hash: 54a6bc3e69818335784546a1dd38cbb5367e21abbb2e5a220219657e04bed689
                                        • Instruction Fuzzy Hash: 76015EB1A45211ABDA212FA9BC09EA67BA89F95B51B000926F906D25E0DF74C880C670
                                        Function 00195CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00195DAC
                                        • type_info::operator==.LIBVCRUNTIME ref: 00195DCE
                                        • ___TypeMatch.LIBVCRUNTIME ref: 00195EDD
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00195FAF
                                        • _UnwindNestedFrames.LIBCMT ref: 00196033
                                        • CallUnexpected.LIBVCRUNTIME ref: 0019604E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2123188842-393685449
                                        • Opcode ID: 7e93a8d77e4edf33333f0568162a3542ff5ebda4040d5de3a7836900b8f69b5d
                                        • Instruction ID: e31709e4f505ae37c077b9e0889e19374f618fdcd4f1bc9105fdcd70cc7f98ba
                                        • Opcode Fuzzy Hash: 7e93a8d77e4edf33333f0568162a3542ff5ebda4040d5de3a7836900b8f69b5d
                                        • Instruction Fuzzy Hash: A5B15C71800609EFCF2ADFA4C8859AEBBB6FF24324F14415AF8157B212D731DA55CBA1
                                        Function 00174270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000400,00000000,?,E71D449C,?,?,?), ref: 001742D2
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,E71D449C,?,?,?), ref: 001742F3
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,E71D449C,?,?,?), ref: 00174326
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,E71D449C,?,?,?), ref: 00174337
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 00174355
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 00174371
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 00174399
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 001743B5
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 001743D3
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 001743EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Process$OpenTimes
                                        • String ID:
                                        • API String ID: 1711917922-0
                                        • Opcode ID: 478b17893d51b88cde9ad04edb0765bd18c6fb8421602d4803ba924c8aa64466
                                        • Instruction ID: 8a49e95b3fff90ca9767e0359dad62b962987580e2f9c4b4231345e08dd4043a
                                        • Opcode Fuzzy Hash: 478b17893d51b88cde9ad04edb0765bd18c6fb8421602d4803ba924c8aa64466
                                        • Instruction Fuzzy Hash: 34515D70D05228EBDB10DF98D984BEEFBB4BF49724F248219E518B72D0C7745D058BA8
                                        Function 0018BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018BBC4
                                          • Part of subcall function 0018254E: __EH_prolog3.LIBCMT ref: 00182555
                                          • Part of subcall function 0018254E: std::_Lockit::_Lockit.LIBCPMT ref: 0018255F
                                          • Part of subcall function 0018254E: std::_Lockit::~_Lockit.LIBCPMT ref: 001825D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1538362411-2891247106
                                        • Opcode ID: ef517644e5c88a7553f0a5e72dda813bb4738417ab495d7822896b34066ffc47
                                        • Instruction ID: 1f1d660c034c4f9ce4bdbfe038910de286b2e5342e247be7e54dc2ae0b902324
                                        • Opcode Fuzzy Hash: ef517644e5c88a7553f0a5e72dda813bb4738417ab495d7822896b34066ffc47
                                        • Instruction Fuzzy Hash: 59B17C7250810AAFCF19EF68CDA5EFE3BA9EB18704F154119FA06A6251D731DB10DF60
                                        Function 00190C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00190CA4
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792A0
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792C2
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 001792EA
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 00179422
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1383202999-2891247106
                                        • Opcode ID: c7e266da8444ef36539bb28065f4181fdec7531390c90f6da332e7a444e8be7d
                                        • Instruction ID: 97aea4f46d98322757057dc52abd3f1528c1583ce0d9ed7f69facd372002e70d
                                        • Opcode Fuzzy Hash: c7e266da8444ef36539bb28065f4181fdec7531390c90f6da332e7a444e8be7d
                                        • Instruction Fuzzy Hash: FEB1AC7250020AAFCF2ADFA8C959DFE3BB9EF18304F154119FA06A6251D732DA51DB60
                                        Function 0018BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018BF85
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178657
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178679
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 001786A1
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 0017880E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                        • API String ID: 1383202999-2891247106
                                        • Opcode ID: d39729719478088cae8ff5c614d7a669020e767d8d955da5355bea4a7d7433e1
                                        • Instruction ID: 04e36fd9eeca59f8f3b34c062b322bbc62eab209376559a588501326a4c3724e
                                        • Opcode Fuzzy Hash: d39729719478088cae8ff5c614d7a669020e767d8d955da5355bea4a7d7433e1
                                        • Instruction Fuzzy Hash: C7B17F7650010AEFCF19EEA8C999DFA3BB9FB58344F15411AF902A2291D731DB10DFA0
                                        Function 00188555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018855C
                                        • _Maklocstr.LIBCPMT ref: 001885C5
                                        • _Maklocstr.LIBCPMT ref: 001885D7
                                        • _Maklocchr.LIBCPMT ref: 001885EF
                                        • _Maklocchr.LIBCPMT ref: 001885FF
                                        • _Getvals.LIBCPMT ref: 00188621
                                          • Part of subcall function 00181CD4: _Maklocchr.LIBCPMT ref: 00181D03
                                          • Part of subcall function 00181CD4: _Maklocchr.LIBCPMT ref: 00181D19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                        • String ID: false$true
                                        • API String ID: 3549167292-2658103896
                                        • Opcode ID: ba740fdfe95ac0a3f13945dfc4eebb5ea64042d8fb08e3b4ed4b8f9d24bd0f0e
                                        • Instruction ID: e6825d074f687ef94453d21f3af26faa968b86a4661f407174ac78ed503eb4e0
                                        • Opcode Fuzzy Hash: ba740fdfe95ac0a3f13945dfc4eebb5ea64042d8fb08e3b4ed4b8f9d24bd0f0e
                                        • Instruction Fuzzy Hash: A2213BB2D00318BADF15FFA4D885ADE7BA8AF15710F10811AB915AF142EB709A41CFA1
                                        Function 00179730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::locale::_Init.LIBCPMT ref: 00179763
                                          • Part of subcall function 00180C94: __EH_prolog3.LIBCMT ref: 00180C9B
                                          • Part of subcall function 00180C94: std::_Lockit::_Lockit.LIBCPMT ref: 00180CA6
                                          • Part of subcall function 00180C94: std::locale::_Setgloballocale.LIBCPMT ref: 00180CC1
                                          • Part of subcall function 00180C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00180D17
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017978A
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001797F0
                                        • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 0017984A
                                          • Part of subcall function 0017F57A: __EH_prolog3.LIBCMT ref: 0017F581
                                        • LocalFree.KERNEL32(00000000,00000000,?,001C54B1,00000000), ref: 001799BF
                                        • __cftoe.LIBCMT ref: 00179B0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$FreeInitLocalLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
                                        • String ID: bad locale name
                                        • API String ID: 3578231455-1405518554
                                        • Opcode ID: 9a09e9b378e39a5df33e223ee6fe59cf1c7013b92b5f4c89867842df29557b8f
                                        • Instruction ID: e9a046b2f0b1b2e535c2fdbcb0d698fdd883c1f3f510cbd46ea1b5b321472a8a
                                        • Opcode Fuzzy Hash: 9a09e9b378e39a5df33e223ee6fe59cf1c7013b92b5f4c89867842df29557b8f
                                        • Instruction Fuzzy Hash: 21F1A071D01249DFDF14CFA8C985BEEBBB5EF19304F148169E809AB381E7359A48CB91
                                        Function 00173C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 001736D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00173735
                                          • Part of subcall function 001736D0: _wcschr.LIBVCRUNTIME ref: 001737C6
                                        • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00173CA8
                                        • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00173D01
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00173D7A
                                        • ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00173EB1
                                        • GetLastError.KERNEL32 ref: 00173F34
                                        • FreeLibrary.KERNEL32(?), ref: 00173F7B
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00173CA2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 566592816-2781105232
                                        • Opcode ID: f64372da408d6bd9215e0c1e2b191ed07edf285853e044c74ea50a7aa7eef502
                                        • Instruction ID: 2b6b1d756856b81b2884a147c7e17594089fa9d560d638f78b91e9cde050af83
                                        • Opcode Fuzzy Hash: f64372da408d6bd9215e0c1e2b191ed07edf285853e044c74ea50a7aa7eef502
                                        • Instruction Fuzzy Hash: 7DA15C70904659DEDB20DF64CC49BAEBBF0FF58304F24459DE449A7280EBB5AA84CF91
                                        Function 001740B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,40000022,E71D449C,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00174154
                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,E71D449C,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00174177
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00174217
                                        • OpenProcess.KERNEL32(00000400,00000000,?,E71D449C,?,?,?), ref: 001742D2
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,E71D449C,?,?,?), ref: 001742F3
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,E71D449C,?,?,?), ref: 00174326
                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,E71D449C,?,?,?), ref: 00174337
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 00174355
                                        • CloseHandle.KERNEL32(00000000,?,E71D449C,?,?,?), ref: 00174371
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Process$Local$AllocCloseHandleOpenTimes$Free
                                        • String ID:
                                        • API String ID: 1424318461-0
                                        • Opcode ID: b986c2bb4116fce66f42863f378df417dad3379db0be0a856275354aafbd777f
                                        • Instruction ID: ff8b392aa63ed8730b552560c2f53acb39d88e199d1b02d5e4d635879895e3e7
                                        • Opcode Fuzzy Hash: b986c2bb4116fce66f42863f378df417dad3379db0be0a856275354aafbd777f
                                        • Instruction Fuzzy Hash: E0819C71A002159FDB14DFA8D985BAEFBB5FB48310F248229F929A72D0D770AD408B94
                                        Function 0019266D Relevance: 12.2, APIs: 8, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?), ref: 001926F8
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00192786
                                        • __alloca_probe_16.LIBCMT ref: 001927B0
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001927F8
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00192812
                                        • __alloca_probe_16.LIBCMT ref: 00192838
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00192875
                                        • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00192892
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                        • String ID:
                                        • API String ID: 3603178046-0
                                        • Opcode ID: e5ade0cf42021e3be28bd67befa3e044e14d612550ccbd42444b83e5dfe13af8
                                        • Instruction ID: 39f32e6c7b42bbdfd0852200c19476ec442ee573378bd7e91bd2852109ccec01
                                        • Opcode Fuzzy Hash: e5ade0cf42021e3be28bd67befa3e044e14d612550ccbd42444b83e5dfe13af8
                                        • Instruction Fuzzy Hash: 0271A076D0020ABBDF259FA4DC85AEE7BFAEF55750F290119E904B7291D731C840CBA0
                                        Function 0019215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 001921A3
                                        • __alloca_probe_16.LIBCMT ref: 001921CF
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0019220E
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019222B
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0019226A
                                        • __alloca_probe_16.LIBCMT ref: 00192287
                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001922C9
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 001922EC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                        • String ID:
                                        • API String ID: 2040435927-0
                                        • Opcode ID: db2c037ded3c29b1f75ca6fd886a55242252d76a9a5f93df0c2c6f4bed429014
                                        • Instruction ID: 4d08b93a67f94a6ff97f729a9de866d93130ed9884c808dbc0d18078df46d9a1
                                        • Opcode Fuzzy Hash: db2c037ded3c29b1f75ca6fd886a55242252d76a9a5f93df0c2c6f4bed429014
                                        • Instruction Fuzzy Hash: C051AE72A0020ABFEF209FA4CC45FAB7BA9FF55740F154529FA15A6190D734DD109BA0
                                        Function 00173860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001738CB
                                        • CloseHandle.KERNEL32(00000000), ref: 0017390B
                                        • Process32FirstW.KERNEL32(?,00000000), ref: 0017395F
                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 0017397A
                                        • CloseHandle.KERNEL32(00000000), ref: 00173A8E
                                        • Process32NextW.KERNEL32(?,00000000), ref: 00173AA2
                                        • CloseHandle.KERNEL32(?), ref: 00173AF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 708755948-0
                                        • Opcode ID: d7d44cb57b7e4eed61f161d78c4419b54971cdc574a2e9c71587a41ff7edad8f
                                        • Instruction ID: b3454bfa1a93b4f73e1cefee5ee7708a17a09e00bd9b5b8dfcbae9ac39ace3bb
                                        • Opcode Fuzzy Hash: d7d44cb57b7e4eed61f161d78c4419b54971cdc574a2e9c71587a41ff7edad8f
                                        • Instruction Fuzzy Hash: 4EA13BB1905249DFDF10CFA4D988BDEBBF8BF58304F148159E819AB290D7749A44DBA0
                                        Function 00178610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00178657
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00178679
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001786A1
                                        • LocalAlloc.KERNEL32(00000040,00000044,00000000,E71D449C,?,00000000), ref: 001786F9
                                        • __Getctype.LIBCPMT ref: 0017877B
                                        • std::_Facet_Register.LIBCPMT ref: 001787E4
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017880E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                        • String ID:
                                        • API String ID: 2372200979-0
                                        • Opcode ID: c3f9b618b69c2ca75bc87441b60d4d7fcf21afd6d15e474f73760936dcc14052
                                        • Instruction ID: 1daaf890e5725845107f6acb8bfcb1430654bab0400877cc577070520f710f46
                                        • Opcode Fuzzy Hash: c3f9b618b69c2ca75bc87441b60d4d7fcf21afd6d15e474f73760936dcc14052
                                        • Instruction Fuzzy Hash: AB61A171D04644DFDB11DF68C944B9ABBF4FF18314F248259E849AB391EB30AA85CB91
                                        Function 00179270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001792A0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001792C2
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001792EA
                                        • LocalAlloc.KERNEL32(00000040,00000018,00000000,E71D449C,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00179342
                                        • __Getctype.LIBCPMT ref: 001793BD
                                        • std::_Facet_Register.LIBCPMT ref: 001793F8
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00179422
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                        • String ID:
                                        • API String ID: 2372200979-0
                                        • Opcode ID: e23133c5547cba0ed2826b2d0d6ea1f0746d702096383e572f08500afef0ba30
                                        • Instruction ID: 742cda0f85c37b1b0df09c55e01cd4c0850bae402b70bc110cbb4e2d116389d9
                                        • Opcode Fuzzy Hash: e23133c5547cba0ed2826b2d0d6ea1f0746d702096383e572f08500afef0ba30
                                        • Instruction Fuzzy Hash: 6151BD70904618DFCB11DF68C944BAEBBF4FF24714F208199E849AB392D770AE49CB91
                                        Function 00193F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00193F57
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00193F5F
                                        • _ValidateLocalCookies.LIBCMT ref: 00193FE8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00194013
                                        • _ValidateLocalCookies.LIBCMT ref: 00194068
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 7a7ec88b249ab491cd90b9134936975bf8263a8f795e579648ea0f5a18bb57cf
                                        • Instruction ID: 642639570da44d8af0ebff43afe095321ba775a7ac160fee62842455febc9c15
                                        • Opcode Fuzzy Hash: 7a7ec88b249ab491cd90b9134936975bf8263a8f795e579648ea0f5a18bb57cf
                                        • Instruction Fuzzy Hash: E141B034E002099FCF14DF68C885A9EBBB5BF54328F148156F9289B392C731EE15CBA1
                                        Function 001A72FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,001A7408,001A3841,0000000C,?,00000000,00000000,?,001A7632,00000021,FlsSetValue,001BBD58,001BBD60,?), ref: 001A73BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 3664257935-537541572
                                        • Opcode ID: ca7d9aee40dde318397c2e92b538268295c8bc42442ade7bae0ab02683a80711
                                        • Instruction ID: 5c2256de70ff7d06758028a5511b5de9a30248e49fdce51b6b16cdc3c45ffc4b
                                        • Opcode Fuzzy Hash: ca7d9aee40dde318397c2e92b538268295c8bc42442ade7bae0ab02683a80711
                                        • Instruction Fuzzy Hash: C521B739A09211EBDF22AB659C85E6A3798AF83770F260250FD15E76D0D770EE00D6E0
                                        Function 00188969 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00188970
                                        • ctype.LIBCPMT ref: 001889B7
                                          • Part of subcall function 0018851C: __Getctype.LIBCPMT ref: 0018852B
                                          • Part of subcall function 0018270D: __EH_prolog3.LIBCMT ref: 00182714
                                          • Part of subcall function 0018270D: std::_Lockit::_Lockit.LIBCPMT ref: 0018271E
                                          • Part of subcall function 0018270D: std::_Lockit::~_Lockit.LIBCPMT ref: 0018278F
                                          • Part of subcall function 0017F3D9: __EH_prolog3.LIBCMT ref: 0017F3E0
                                          • Part of subcall function 0017F3D9: std::_Lockit::_Lockit.LIBCPMT ref: 0017F3EA
                                          • Part of subcall function 0017F3D9: std::_Lockit::~_Lockit.LIBCPMT ref: 0017F48E
                                          • Part of subcall function 00182837: __EH_prolog3.LIBCMT ref: 0018283E
                                          • Part of subcall function 00182837: std::_Lockit::_Lockit.LIBCPMT ref: 00182848
                                          • Part of subcall function 00182837: std::_Lockit::~_Lockit.LIBCPMT ref: 001828B9
                                          • Part of subcall function 0017F3D9: Concurrency::cancel_current_task.LIBCPMT ref: 0017F499
                                          • Part of subcall function 001829F6: __EH_prolog3.LIBCMT ref: 001829FD
                                          • Part of subcall function 001829F6: std::_Lockit::_Lockit.LIBCPMT ref: 00182A07
                                          • Part of subcall function 001829F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00182A78
                                          • Part of subcall function 00182961: __EH_prolog3.LIBCMT ref: 00182968
                                          • Part of subcall function 00182961: std::_Lockit::_Lockit.LIBCPMT ref: 00182972
                                          • Part of subcall function 00182961: std::_Lockit::~_Lockit.LIBCPMT ref: 001829E3
                                        • collate.LIBCPMT ref: 00188B05
                                        • numpunct.LIBCPMT ref: 00188DAF
                                        • __Getcoll.LIBCPMT ref: 00188B47
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                          • Part of subcall function 00176330: LocalAlloc.KERNEL32(00000040,?,00180E04,00000020,?,?,00179942,00000000,E71D449C,?,?,?,?,001B50DD,000000FF), ref: 00176336
                                        • codecvt.LIBCPMT ref: 00188E6D
                                          • Part of subcall function 00182E09: __EH_prolog3.LIBCMT ref: 00182E10
                                          • Part of subcall function 00182E09: std::_Lockit::_Lockit.LIBCPMT ref: 00182E1A
                                          • Part of subcall function 00182E09: std::_Lockit::~_Lockit.LIBCPMT ref: 00182E8B
                                          • Part of subcall function 00182F33: __EH_prolog3.LIBCMT ref: 00182F3A
                                          • Part of subcall function 00182F33: std::_Lockit::_Lockit.LIBCPMT ref: 00182F44
                                          • Part of subcall function 00182F33: std::_Lockit::~_Lockit.LIBCPMT ref: 00182FB5
                                          • Part of subcall function 001822FA: __EH_prolog3.LIBCMT ref: 00182301
                                          • Part of subcall function 001822FA: std::_Lockit::_Lockit.LIBCPMT ref: 0018230B
                                          • Part of subcall function 001822FA: std::_Lockit::~_Lockit.LIBCPMT ref: 0018237C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                        • String ID:
                                        • API String ID: 3494022857-0
                                        • Opcode ID: 5a262e6782441db582b57e36c1b6ea0c51fc2d04201e24faebed6363d9c59f14
                                        • Instruction ID: 139c82e88f1cc70d5a438ecf3496ae8e5a26de99caf011a4862b6615487142cf
                                        • Opcode Fuzzy Hash: 5a262e6782441db582b57e36c1b6ea0c51fc2d04201e24faebed6363d9c59f14
                                        • Instruction Fuzzy Hash: 8EE1B570C01215ABEB157FB48946ABF7AB5EF61750F44842DF80DA7281DF718E01DBA2
                                        Function 0017B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B531
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B54F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B577
                                        • LocalAlloc.KERNEL32(00000040,0000000C,00000000,E71D449C,?,00000000,00000000), ref: 0017B5CF
                                        • std::_Facet_Register.LIBCPMT ref: 0017B6B7
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B6E1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                        • String ID:
                                        • API String ID: 3931714976-0
                                        • Opcode ID: a5a254c51b6118a7938e499c9e843914971b3253c4ecff8dba7e9d213adaa29d
                                        • Instruction ID: f2af4d0cb4feccbd43c00ba0f6c872cf36c8f56477b1f9341a6a1dae3f20bd18
                                        • Opcode Fuzzy Hash: a5a254c51b6118a7938e499c9e843914971b3253c4ecff8dba7e9d213adaa29d
                                        • Instruction Fuzzy Hash: AE51CEB0904218DFDB12DF58C880BAEBBF4FF24314F248159E819AB391D7B5DA44CB81
                                        Function 0017B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B731
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B74F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B777
                                        • LocalAlloc.KERNEL32(00000040,00000008,00000000,E71D449C,?,00000000,00000000), ref: 0017B7CF
                                        • std::_Facet_Register.LIBCPMT ref: 0017B863
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B88D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                        • String ID:
                                        • API String ID: 3931714976-0
                                        • Opcode ID: 0fe5a5d5e9399350d86bbe880e9ef5c741fb1dd6db2a164f6de54eb9db794fe2
                                        • Instruction ID: 7db3379441c9dd4455155e4811c1156552fe4a450ea5de9d61d47ceb34cdbc3d
                                        • Opcode Fuzzy Hash: 0fe5a5d5e9399350d86bbe880e9ef5c741fb1dd6db2a164f6de54eb9db794fe2
                                        • Instruction Fuzzy Hash: 0D51BCB0908218DFCB15CF58C980BAEBBF4EF14314F24815DE859AB391D770AE45CB81
                                        Function 001A0351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID: a/p$am/pm
                                        • API String ID: 3509577899-3206640213
                                        • Opcode ID: 4210be9587dda8806bcc2208c3ad8d52482a1f47e9d716dd17dc1dfc2049e310
                                        • Instruction ID: 8f1ba36611b5c08ecee9560b5e039e1d2d8dff9e70e3a00f3457f3327fd8a365
                                        • Opcode Fuzzy Hash: 4210be9587dda8806bcc2208c3ad8d52482a1f47e9d716dd17dc1dfc2049e310
                                        • Instruction Fuzzy Hash: 24C1F17D900206DBDB2ACFA8C988ABAB7B1FF1F704F154049E545AB251D332AD41CF61
                                        Function 00195978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0019596F,00194900,0019358F), ref: 00195986
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00195994
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001959AD
                                        • SetLastError.KERNEL32(00000000,0019596F,00194900,0019358F), ref: 001959FF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: a588e5f7205f12cec812a2824dd79a77438b9911afaf567599b134432a232f00
                                        • Instruction ID: 32cac00074dd461760059283f38dcdc0cd85fccf6ecda344b0e0be2b412d237f
                                        • Opcode Fuzzy Hash: a588e5f7205f12cec812a2824dd79a77438b9911afaf567599b134432a232f00
                                        • Instruction Fuzzy Hash: F4012837209B11EFBF2627787D85E5A2B56DB2137C7200329F415A45E0FF114C4152D4
                                        Function 00173230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempFileNameW.KERNEL32(?,URL,00000000,?,E71D449C,?,00000004), ref: 00173294
                                        • MoveFileW.KERNEL32(?,00000000), ref: 0017354A
                                        • DeleteFileW.KERNEL32(?), ref: 00173592
                                          • Part of subcall function 00171A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00171AF7
                                          • Part of subcall function 00171A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00171B7D
                                          • Part of subcall function 00172E60: LocalFree.KERNEL32(?,E71D449C,?,?,001B3C40,000000FF,?,00171242,E71D449C,?,?,001B3C75,000000FF), ref: 00172EB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: FileLocal$Free$AllocDeleteMoveNameTemp
                                        • String ID: URL$url
                                        • API String ID: 853893950-346267919
                                        • Opcode ID: aafb276623882e5aa6257b93e756295e1b1420a0652de92668f06612f534a5df
                                        • Instruction ID: 33b5e7bc9fde70fbd02754463b780c3b8e1072670320b1e738ce9bf273cd22d2
                                        • Opcode Fuzzy Hash: aafb276623882e5aa6257b93e756295e1b1420a0652de92668f06612f534a5df
                                        • Instruction Fuzzy Hash: 92C14870D142689ADB24DF28CC98BDDBBB4BF54304F1082D9D00DA7291EBB56B88CF91
                                        Function 001736D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00173735
                                        • GetLastError.KERNEL32(?,?,?,001B4215,000000FF), ref: 0017381A
                                          • Part of subcall function 00172310: GetProcessHeap.KERNEL32 ref: 00172365
                                          • Part of subcall function 001746F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00173778,-00000010,?,?,?,001B4215,000000FF), ref: 00174736
                                        • _wcschr.LIBVCRUNTIME ref: 001737C6
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,001B4215,000000FF), ref: 001737DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                        • String ID: ntdll.dll
                                        • API String ID: 3941625479-2227199552
                                        • Opcode ID: 1829ddaa6e6baaeccd6b15129638b94d449f352532453c713605390d63233d7a
                                        • Instruction ID: 44ec9faac8b8ed2a20bf3f16d715857da24bd08859ecb24e3c882f7207c9dba4
                                        • Opcode Fuzzy Hash: 1829ddaa6e6baaeccd6b15129638b94d449f352532453c713605390d63233d7a
                                        • Instruction Fuzzy Hash: FB4190716006059FDB14DFA8CC49BAEB7B4FF14310F14862DF92A976C1EBB0AA04CB91
                                        Function 0017621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00171A20: LocalFree.KERNEL32(?), ref: 00171A42
                                          • Part of subcall function 00193E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00171434,?,?,0017D341,00171434,001C8B5C,?,00171434,?,00000000), ref: 00193EBA
                                        • GetCurrentProcess.KERNEL32(E71D449C,E71D449C,?,?,00000000,001B4981,000000FF), ref: 001762EB
                                          • Part of subcall function 00192C98: EnterCriticalSection.KERNEL32(001CDD3C,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192CA3
                                          • Part of subcall function 00192C98: LeaveCriticalSection.KERNEL32(001CDD3C,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192CE0
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 001762B0
                                        • GetProcAddress.KERNEL32(00000000), ref: 001762B7
                                          • Part of subcall function 00192C4E: EnterCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C58
                                          • Part of subcall function 00192C4E: LeaveCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C8B
                                          • Part of subcall function 00192C4E: RtlWakeAllConditionVariable.NTDLL ref: 00192D02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
                                        • String ID: IsWow64Process$kernel32
                                        • API String ID: 1333104975-3789238822
                                        • Opcode ID: d83b7825756e0e8c724ec63d01172887fcbb83e411642762cabf374ee7bd1747
                                        • Instruction ID: c588cb6c91cd27a1bfefd6b1618188af9a1731e7d8fbbaf325d55c3ad13704f8
                                        • Opcode Fuzzy Hash: d83b7825756e0e8c724ec63d01172887fcbb83e411642762cabf374ee7bd1747
                                        • Instruction Fuzzy Hash: 7F21E471904655EFCF10DFA4DD06F9DB7B8FB28B10F104229F815A3AD0EB74A940CA51
                                        Function 00188451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Mpunct$GetvalsH_prolog3
                                        • String ID: $+xv
                                        • API String ID: 2204710431-1686923651
                                        • Opcode ID: d14166e7f3a81a4b2d15301f3cef24a1b36b14f8457f09c3a1cd58c7e68d8cbc
                                        • Instruction ID: ed76080a7c2569d0f18833dc5be7f57ab2f805d7c57d2018f3cb330038a97087
                                        • Opcode Fuzzy Hash: d14166e7f3a81a4b2d15301f3cef24a1b36b14f8457f09c3a1cd58c7e68d8cbc
                                        • Instruction Fuzzy Hash: 8C2160B1904B92AEDB25EF74849077BBEF8AB19310F04495AE459C7A42D774E701CFA0
                                        Function 00176250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(E71D449C,E71D449C,?,?,00000000,001B4981,000000FF), ref: 001762EB
                                          • Part of subcall function 00192C98: EnterCriticalSection.KERNEL32(001CDD3C,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192CA3
                                          • Part of subcall function 00192C98: LeaveCriticalSection.KERNEL32(001CDD3C,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192CE0
                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 001762B0
                                        • GetProcAddress.KERNEL32(00000000), ref: 001762B7
                                          • Part of subcall function 00192C4E: EnterCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C58
                                          • Part of subcall function 00192C4E: LeaveCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C8B
                                          • Part of subcall function 00192C4E: RtlWakeAllConditionVariable.NTDLL ref: 00192D02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                        • String ID: IsWow64Process$kernel32
                                        • API String ID: 2056477612-3789238822
                                        • Opcode ID: 210aa0bb819cdb346ec54143f64b807a9965ab9d34a1d065642704e0d5b81a8e
                                        • Instruction ID: b7fddce46ca769a306d1fd44b09c872053406fadcf70f473fdbd91cd270321a1
                                        • Opcode Fuzzy Hash: 210aa0bb819cdb346ec54143f64b807a9965ab9d34a1d065642704e0d5b81a8e
                                        • Instruction Fuzzy Hash: 7E11A2B2D08A54DFDB10CF54DD45F99B7F8F728B10F00426AE81593BD0E775A940CA51
                                        Function 001969E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00196AA3,?,?,001CDDCC,00000000,?,00196BCE,00000004,InitializeCriticalSectionEx,001B97E8,InitializeCriticalSectionEx,00000000), ref: 00196A72
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 8504eb603ad234a3afebc27616ce7c651d6ff8c807f55744f21bc318d538dda0
                                        • Instruction ID: e545c9310ede91e57e1518c31cb5486a11cbd8799fb199d00cb11ffc98b847d1
                                        • Opcode Fuzzy Hash: 8504eb603ad234a3afebc27616ce7c651d6ff8c807f55744f21bc318d538dda0
                                        • Instruction Fuzzy Hash: 0111E532E04225ABCF229B689C45B5D37E49F42770F254260FA15FB2C0D770EE4086F5
                                        Function 001A2DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E71D449C,?,?,00000000,001B6A6C,000000FF,?,001A2DC1,?,?,001A2D95,?), ref: 001A2E23
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001A2E35
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,001B6A6C,000000FF,?,001A2DC1,?,?,001A2D95,?), ref: 001A2E57
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: e769a8f707db8173812d02dcab761367e6519bbda19d4fe8158a6b40bb42e44d
                                        • Instruction ID: 311346a41eba808795862e777f8bd127b6f2a1dc8509b42c1de8d7229236e156
                                        • Opcode Fuzzy Hash: e769a8f707db8173812d02dcab761367e6519bbda19d4fe8158a6b40bb42e44d
                                        • Instruction Fuzzy Hash: E701D676A08619EFCB128F54CC05FFFBBB8FB48B10F000629F811A26E0DB759940CA90
                                        Function 001A6DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        • __alloca_probe_16.LIBCMT ref: 001A6E40
                                        • __alloca_probe_16.LIBCMT ref: 001A6F01
                                        • __freea.LIBCMT ref: 001A6F68
                                          • Part of subcall function 001A5BDC: HeapAlloc.KERNEL32(00000000,00000000,001A3841,?,001A543A,?,00000000,?,00196CE7,00000000,001A3841,00000000,?,?,?,001A363B), ref: 001A5C0E
                                        • __freea.LIBCMT ref: 001A6F7D
                                        • __freea.LIBCMT ref: 001A6F8D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16$AllocHeap
                                        • String ID:
                                        • API String ID: 1096550386-0
                                        • Opcode ID: dd004d643a036f24f94b76d9eb166eb74039989adfb7a71a78f49896ecf62cc9
                                        • Instruction ID: 4f843409c97f0f050fb0d15be7a3e19cae9591680915b14662a2c9d31d7d3cb1
                                        • Opcode Fuzzy Hash: dd004d643a036f24f94b76d9eb166eb74039989adfb7a71a78f49896ecf62cc9
                                        • Instruction Fuzzy Hash: 4D51C17A600216AFEF259FA4DC91EBF3AA9EF1A750B190129FD08D7251E735CD10C7A0
                                        Function 0017B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B8DD
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017B900
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B928
                                        • std::_Facet_Register.LIBCPMT ref: 0017B98D
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017B9B7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                        • String ID:
                                        • API String ID: 459529453-0
                                        • Opcode ID: 8cd308b1a2fc553c770a5d09887f01703d53be456bc884e87996b6c124dde85a
                                        • Instruction ID: 60226fe155210ebe75e67a962e9a4e471e602dd0c6b0a2d31ca3c34d1723cd70
                                        • Opcode Fuzzy Hash: 8cd308b1a2fc553c770a5d09887f01703d53be456bc884e87996b6c124dde85a
                                        • Instruction Fuzzy Hash: AB31E771904218DFCB11DF58D980BAEBBF4EF24328F148199EA18673A1D731AE45CB91
                                        Function 00175890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,?,75EF4450,00175646,?,?,?,?,?), ref: 00175898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                        • API String ID: 1452528299-1782174991
                                        • Opcode ID: afde9ee2cc17227d4246813ad35914d799bf881e500808739e87e0afbd38cb29
                                        • Instruction ID: 33bb988744884d4a3d1e25f9eb53955fdc6658e469c453e67a50f48a94e00584
                                        • Opcode Fuzzy Hash: afde9ee2cc17227d4246813ad35914d799bf881e500808739e87e0afbd38cb29
                                        • Instruction Fuzzy Hash: 7A117C16A10621C7CB301F6D980072AA2F6EF64758F65447EE989A7391EBB58CC18395
                                        Function 00181C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Maklocstr$Maklocchr
                                        • String ID:
                                        • API String ID: 2020259771-0
                                        • Opcode ID: 9fd6c843a20033ecde6682765710fe712cc633a870656aa5713ee4cc25d27043
                                        • Instruction ID: 49836d64b5f45cf88dd1f750c9ab3ddd58a1cca82d2b551a3c6324886493843a
                                        • Opcode Fuzzy Hash: 9fd6c843a20033ecde6682765710fe712cc633a870656aa5713ee4cc25d27043
                                        • Instruction Fuzzy Hash: E6119EB2940B84BFE720EBA5C881F52B7ECAF14750F084919F645CBA41D364FE518BA5
                                        Function 0017D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0017D883
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017D88D
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • numpunct.LIBCPMT ref: 0017D8C7
                                        • std::_Facet_Register.LIBCPMT ref: 0017D8DE
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017D8FE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                        • String ID:
                                        • API String ID: 743221004-0
                                        • Opcode ID: 9bb3efe15d573743337b5cdffd1fdc02903a28b87e3e632a2587c2dae15f2297
                                        • Instruction ID: 6ac035da93b7c88c98dd04bbf3eb8813b4e25f73b62ec359c33fbf337f631203
                                        • Opcode Fuzzy Hash: 9bb3efe15d573743337b5cdffd1fdc02903a28b87e3e632a2587c2dae15f2297
                                        • Instruction Fuzzy Hash: B911ED3590021A9BCF06FBA4E801ABE7B71AFA4714F24845DF519AB2D1CF309E058B92
                                        Function 0018238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182396
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001823A0
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • codecvt.LIBCPMT ref: 001823DA
                                        • std::_Facet_Register.LIBCPMT ref: 001823F1
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182411
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                        • String ID:
                                        • API String ID: 712880209-0
                                        • Opcode ID: 0cc2a762be09e0f8dbf234eb6370ecef536c58757d2f98d67223ed88504be9e9
                                        • Instruction ID: fb6fb939e7badd2c7bdc4cfff8be2eb549a2c8977c2a8dc108827337a8c2af31
                                        • Opcode Fuzzy Hash: 0cc2a762be09e0f8dbf234eb6370ecef536c58757d2f98d67223ed88504be9e9
                                        • Instruction Fuzzy Hash: 6D010C35A002198BCB06FB649805ABE77B1AFA4B10F244519F4147B292DF74DF44CFA0
                                        Function 00182424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018242B
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182435
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • collate.LIBCPMT ref: 0018246F
                                        • std::_Facet_Register.LIBCPMT ref: 00182486
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001824A6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: 3152f1f19e0dee2db0f491ed546b394826f77263cc1fe2974c59327290c80b77
                                        • Instruction ID: 38f251fd48a48808b1ed93453f4420b7c8ff247035d9b3ae156e07f275dab5f9
                                        • Opcode Fuzzy Hash: 3152f1f19e0dee2db0f491ed546b394826f77263cc1fe2974c59327290c80b77
                                        • Instruction Fuzzy Hash: 8301CC35900219DBCB06FBA4E805AAEBBB1AFA4720F244409F4156B2D2DF709F45CFA0
                                        Function 001824B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 001824C0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001824CA
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • collate.LIBCPMT ref: 00182504
                                        • std::_Facet_Register.LIBCPMT ref: 0018251B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018253B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: c1207ba15e21e8675c2a4e44162b403654399b06f00618daa461954b93cc703e
                                        • Instruction ID: 3ee6edc54796089124a330afc4dcae3ff9a3f34ad85667169f8c24a3a120aefc
                                        • Opcode Fuzzy Hash: c1207ba15e21e8675c2a4e44162b403654399b06f00618daa461954b93cc703e
                                        • Instruction Fuzzy Hash: 4B01DE35900219DBCB0AFB64E849AAEB7B1AFA4B20F244409F414AB2D1CF30DF448F90
                                        Function 0018254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182555
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018255F
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • ctype.LIBCPMT ref: 00182599
                                        • std::_Facet_Register.LIBCPMT ref: 001825B0
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001825D0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                        • String ID:
                                        • API String ID: 83828444-0
                                        • Opcode ID: dd010a4f98b7d555e881ccb8fe08d828bfdb558a335848863f034327572d199d
                                        • Instruction ID: 23bbc8ad0d0d6a856bc1a74923e308e30a0f56e2d840c0ec0a6bbd2df39304ef
                                        • Opcode Fuzzy Hash: dd010a4f98b7d555e881ccb8fe08d828bfdb558a335848863f034327572d199d
                                        • Instruction Fuzzy Hash: 6001CC359002199BCB16FB64D815AAEBBB1AFA8720F244519F425AB2D2DF70DF44CF90
                                        Function 001825E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 001825EA
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001825F4
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • messages.LIBCPMT ref: 0018262E
                                        • std::_Facet_Register.LIBCPMT ref: 00182645
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182665
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: 4a650ee7facc8c1ee8e84e526fac5e193635abe714efc1eae0737fe3e9e24c3f
                                        • Instruction ID: 221eb0dd49acb440b5d908bc273b8da7ac5ecee88d6f56800fcb4c79a21ae396
                                        • Opcode Fuzzy Hash: 4a650ee7facc8c1ee8e84e526fac5e193635abe714efc1eae0737fe3e9e24c3f
                                        • Instruction Fuzzy Hash: 3601DE359002199BCB16FBA4E815AAEBBB1BFA4710F24450AF8146B2D2DF709F05CF90
                                        Function 00182678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018267F
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182689
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • messages.LIBCPMT ref: 001826C3
                                        • std::_Facet_Register.LIBCPMT ref: 001826DA
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001826FA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: 5d1be01b734832030a166b89172077ecd6fc4ed34ba0e9c28f9f57c7ece77b86
                                        • Instruction ID: 3605576a7fb99566534a2d1edeed360f2e2430a99265d4a8481b1f2ade78d546
                                        • Opcode Fuzzy Hash: 5d1be01b734832030a166b89172077ecd6fc4ed34ba0e9c28f9f57c7ece77b86
                                        • Instruction Fuzzy Hash: EE01CC359006199FCB06FB64D805AAE77B1AFA8720F244449F9146B292DF709F058F90
                                        Function 0018E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018E84A
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018E854
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • collate.LIBCPMT ref: 0018E88E
                                        • std::_Facet_Register.LIBCPMT ref: 0018E8A5
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018E8C5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                        • String ID:
                                        • API String ID: 1007100420-0
                                        • Opcode ID: f6c7282c51ed4826a384bf0d91917ade6c80752ce8dd8f262e165ebcdbda3128
                                        • Instruction ID: b8a8270a534a674fc673961b08272e7a15cc6d40a4f50ae1d29a7c2e5c67fac8
                                        • Opcode Fuzzy Hash: f6c7282c51ed4826a384bf0d91917ade6c80752ce8dd8f262e165ebcdbda3128
                                        • Instruction Fuzzy Hash: 36019235900129DFCB05FB64D806AAE77B1BFA5710F248519F8156B2D1CF749F048F91
                                        Function 0018E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018E8DF
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018E8E9
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • messages.LIBCPMT ref: 0018E923
                                        • std::_Facet_Register.LIBCPMT ref: 0018E93A
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018E95A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                        • String ID:
                                        • API String ID: 2750803064-0
                                        • Opcode ID: 0782cea144928a77096dbed52ef1524e4002014c934e304c84bcbe68857e10ec
                                        • Instruction ID: 3a8a283da8081bddfa82d7bf2fbdd77f9a94a40bf6a52cae0b9ff3a8f38a3e58
                                        • Opcode Fuzzy Hash: 0782cea144928a77096dbed52ef1524e4002014c934e304c84bcbe68857e10ec
                                        • Instruction Fuzzy Hash: C8018C359002199BCB16FB649845ABE7BB1BFA4714F254509F818AB292CF749F04CF91
                                        Function 00182961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182968
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182972
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 001829AC
                                        • std::_Facet_Register.LIBCPMT ref: 001829C3
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001829E3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: fb30b7a6796d0e2f4996095a82cf522089a1dbde5c683d65d4bb1f6fdfbd9fb2
                                        • Instruction ID: 2c0c3c89659f88cd443d23428605be6f01eac44059f0e4356c75fb47a9b03a8f
                                        • Opcode Fuzzy Hash: fb30b7a6796d0e2f4996095a82cf522089a1dbde5c683d65d4bb1f6fdfbd9fb2
                                        • Instruction Fuzzy Hash: 2D01D235900129DBCB06FB64D806AAE77B1AFA8714F254549F424672D2CF709F048F91
                                        Function 001829F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 001829FD
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182A07
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 00182A41
                                        • std::_Facet_Register.LIBCPMT ref: 00182A58
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182A78
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: b37f7570041d566e61aeb2026fa8b9a3e0ca5ad8a61f044e3eea55fcf4479f0e
                                        • Instruction ID: d12116ffa232db445ee867728e745d764ae684948a032b07aa1253e45f6803d4
                                        • Opcode Fuzzy Hash: b37f7570041d566e61aeb2026fa8b9a3e0ca5ad8a61f044e3eea55fcf4479f0e
                                        • Instruction Fuzzy Hash: C501DE35900229DFCB1AFB64D845ABEB7B1AFA8710F264509F8156B2D2CF709F458F90
                                        Function 0018EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018EA9E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018EAA8
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 0018EAE2
                                        • std::_Facet_Register.LIBCPMT ref: 0018EAF9
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018EB19
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: d9327b0443f596b1f8d7a4a2f06ea0037637ef3db41f5a18ecf2e1460bf6255e
                                        • Instruction ID: 77ce0f9ed750637e43d9866db71497411ba0401e5fa964f1fa3bdf652062c655
                                        • Opcode Fuzzy Hash: d9327b0443f596b1f8d7a4a2f06ea0037637ef3db41f5a18ecf2e1460bf6255e
                                        • Instruction Fuzzy Hash: 8101CC36A002199BCB16FB649805AAE77B1BFA4720F244509F4296B2D2CF30DF048F91
                                        Function 00182A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182A92
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182A9C
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 00182AD6
                                        • std::_Facet_Register.LIBCPMT ref: 00182AED
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182B0D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 9f0e5366aa948a78dace4b649113240cc699d64e2cc8f61da7d638b74cfc449a
                                        • Instruction ID: 6ea94db37fc50313bf55db55890c2438e12cfc79369d24e02f690c5d146c8acc
                                        • Opcode Fuzzy Hash: 9f0e5366aa948a78dace4b649113240cc699d64e2cc8f61da7d638b74cfc449a
                                        • Instruction Fuzzy Hash: 3101CC369002199FCB16FF649805AAE77B1AFA4720F244809F914AB2D2CF749F04CF91
                                        Function 0018EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018EB33
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018EB3D
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 0018EB77
                                        • std::_Facet_Register.LIBCPMT ref: 0018EB8E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018EBAE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 11409f2325f06929444f8929a8fc77a96e3101fe9e07b2255c4b5e01f9f98d7a
                                        • Instruction ID: bc6cda2cfd32e521e53d51df23acd45ad002df74c0fca267de8bcb009d2d14aa
                                        • Opcode Fuzzy Hash: 11409f2325f06929444f8929a8fc77a96e3101fe9e07b2255c4b5e01f9f98d7a
                                        • Instruction Fuzzy Hash: E501CC35900119DFCB16FB64D885AAEB7B1AFA8710F254409F4156B2D2CF709F058F91
                                        Function 00182B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182B27
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182B31
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • moneypunct.LIBCPMT ref: 00182B6B
                                        • std::_Facet_Register.LIBCPMT ref: 00182B82
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182BA2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                        • String ID:
                                        • API String ID: 419941038-0
                                        • Opcode ID: 6f63e3d4e883ba97dba2bab54023e572eed4619d4574be605243306099c6ade1
                                        • Instruction ID: 5021c7323fcacc123b3cb064aba19f129064192f67fe98bf8bb04085416e33f5
                                        • Opcode Fuzzy Hash: 6f63e3d4e883ba97dba2bab54023e572eed4619d4574be605243306099c6ade1
                                        • Instruction Fuzzy Hash: FC01D235901219DBCB16FF64D845AAE7771BFA4720F244409F514672D2DF309F448F91
                                        Function 00182D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182D7B
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182D85
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • numpunct.LIBCPMT ref: 00182DBF
                                        • std::_Facet_Register.LIBCPMT ref: 00182DD6
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182DF6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                        • String ID:
                                        • API String ID: 743221004-0
                                        • Opcode ID: f2978e88e77e2371cae6dc152e7c18686f5cde20db5cea5828384e606e9e4331
                                        • Instruction ID: b8adcc77cc07f00a66208db8edeadf1f7c97bb9df121aa12aafe97bf044e08df
                                        • Opcode Fuzzy Hash: f2978e88e77e2371cae6dc152e7c18686f5cde20db5cea5828384e606e9e4331
                                        • Instruction Fuzzy Hash: 1A01CC369002199BCB06FBA4D805ABE7BB1BFA4710F254909F414AB292CF749F05CF90
                                        Function 00192C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C58
                                        • LeaveCriticalSection.KERNEL32(001CDD3C,?,?,00172427,001CE638,001B6B40), ref: 00192C8B
                                        • RtlWakeAllConditionVariable.NTDLL ref: 00192D02
                                        • SetEvent.KERNEL32(?,00172427,001CE638,001B6B40), ref: 00192D0C
                                        • ResetEvent.KERNEL32(?,00172427,001CE638,001B6B40), ref: 00192D18
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                        • String ID:
                                        • API String ID: 3916383385-0
                                        • Opcode ID: 3199273ffb2b6748ce03479fb771a31f354e49e63b5f5a8cbf6f4ab21962ff5b
                                        • Instruction ID: 160a88c27ce887452d05e2ed3ab79aec72e9be4c9ad49bd98c2a84992072af1b
                                        • Opcode Fuzzy Hash: 3199273ffb2b6748ce03479fb771a31f354e49e63b5f5a8cbf6f4ab21962ff5b
                                        • Instruction Fuzzy Hash: 8701F675905120DFCB15AF98FC48EA9BBB5FB89751701046AF90697BA0CB309DC2DBE0
                                        Function 0017BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,00000018,E71D449C,?,00000000), ref: 0017BBA3
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 0017BD7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: AllocConcurrency::cancel_current_taskLocal
                                        • String ID: false$true
                                        • API String ID: 3924972193-2658103896
                                        • Opcode ID: 491e22d5ebf446273e1ef9047d73bd63eb1dda90eb1677aece8d5928d1f84b37
                                        • Instruction ID: 090166f0d095444e8b7e586486cf037ba8120bf1f57f2c13dc845faa9b31117a
                                        • Opcode Fuzzy Hash: 491e22d5ebf446273e1ef9047d73bd63eb1dda90eb1677aece8d5928d1f84b37
                                        • Instruction Fuzzy Hash: 726192B1D00748DBDB10DFA4C941BDEBBF8FF14704F14826AE855AB281E775AA84CB91
                                        Function 0018D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018D3D2
                                          • Part of subcall function 0018254E: __EH_prolog3.LIBCMT ref: 00182555
                                          • Part of subcall function 0018254E: std::_Lockit::_Lockit.LIBCPMT ref: 0018255F
                                          • Part of subcall function 0018254E: std::_Lockit::~_Lockit.LIBCPMT ref: 001825D0
                                        • _Find_elem.LIBCPMT ref: 0018D46E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: %.0Lf$0123456789-
                                        • API String ID: 2544715827-3094241602
                                        • Opcode ID: 166ad77e39f8fa226e36e1f77bba0b723cc342a23bb9b243b8e4ba794d193feb
                                        • Instruction ID: 46e93b54eac8137cf21aefdc5b80569a59ef67aae717da653d5c30fc2cb32e90
                                        • Opcode Fuzzy Hash: 166ad77e39f8fa226e36e1f77bba0b723cc342a23bb9b243b8e4ba794d193feb
                                        • Instruction Fuzzy Hash: 87414B31900218DFCF15EFA4D881AEEBBB5FF58314F500159E815AB295DB30AA56CFA1
                                        Function 0018D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018D676
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178657
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178679
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 001786A1
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 0017880E
                                        • _Find_elem.LIBCPMT ref: 0018D712
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789-$0123456789-
                                        • API String ID: 3042121994-2494171821
                                        • Opcode ID: 2cd634e764c19049142f075191ad0366bbaa356ed3480ebdf42ca6b4b44c1f7f
                                        • Instruction ID: 473a05f323a270d6b9d03b70f163e8552ffe54136eec6fb9c67c4bed1ebafc0a
                                        • Opcode Fuzzy Hash: 2cd634e764c19049142f075191ad0366bbaa356ed3480ebdf42ca6b4b44c1f7f
                                        • Instruction Fuzzy Hash: B4416A31900218DFCF15EFA8D880AEEBBB5FF18314F500199F815AB295DB309A56CFA1
                                        Function 0019175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 00191761
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792A0
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792C2
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 001792EA
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 00179422
                                        • _Find_elem.LIBCPMT ref: 001917FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789-$0123456789-
                                        • API String ID: 3042121994-2494171821
                                        • Opcode ID: 150c034d95e688f40a9df313e181b783c87fe65ceafbc27ca964d4b0c9f2858a
                                        • Instruction ID: 7a51aee7de3f163f51ec11f5d67cd65e3cf7f481c6c2d279587ef1ca7213b183
                                        • Opcode Fuzzy Hash: 150c034d95e688f40a9df313e181b783c87fe65ceafbc27ca964d4b0c9f2858a
                                        • Instruction Fuzzy Hash: AA416D3190020AEFCF05EFA4D891AEEBBB5FF14314F10415AF811AB252DB35EA46DB91
                                        Function 00188386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018838D
                                          • Part of subcall function 00181C42: _Maklocstr.LIBCPMT ref: 00181C62
                                          • Part of subcall function 00181C42: _Maklocstr.LIBCPMT ref: 00181C7F
                                          • Part of subcall function 00181C42: _Maklocstr.LIBCPMT ref: 00181C9C
                                          • Part of subcall function 00181C42: _Maklocchr.LIBCPMT ref: 00181CAE
                                          • Part of subcall function 00181C42: _Maklocchr.LIBCPMT ref: 00181CC1
                                        • _Mpunct.LIBCPMT ref: 0018841A
                                        • _Mpunct.LIBCPMT ref: 00188434
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                        • String ID: $+xv
                                        • API String ID: 2939335142-1686923651
                                        • Opcode ID: e4f781e93b7b2f6298f3846e5c788077125ee0c84bdd8471de746c88435612ab
                                        • Instruction ID: e1c1739798649b42d37ce8fa38395b6d72289e654ded9b28fc62663d232b28f6
                                        • Opcode Fuzzy Hash: e4f781e93b7b2f6298f3846e5c788077125ee0c84bdd8471de746c88435612ab
                                        • Instruction Fuzzy Hash: 9F2162B1904B92AEDB25EF75849077BBEF8BB18700F04455AE499C7A42D734E702CF90
                                        Function 0018FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Mpunct$H_prolog3
                                        • String ID: $+xv
                                        • API String ID: 4281374311-1686923651
                                        • Opcode ID: ad6f2aff8252a4122cd9a11c9e02b0d8082d30b3f2eb61111dae949318d32135
                                        • Instruction ID: b98acb67ea30a2162dac9076d9bcdd442a237550cbfb9529c4acaea38690747d
                                        • Opcode Fuzzy Hash: ad6f2aff8252a4122cd9a11c9e02b0d8082d30b3f2eb61111dae949318d32135
                                        • Instruction Fuzzy Hash: E62192B1904B516EDB26DF75889077BBEF8AB1C300F18461AF099C7A42D734E601CF90
                                        Function 001724C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00171434,?,00000000), ref: 00172569
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00171434,?,00000000), ref: 00172589
                                        • LocalFree.KERNEL32(?,00171434,?,00000000), ref: 001725DF
                                        • CloseHandle.KERNEL32(00000000,E71D449C,?,00000000,001B3C40,000000FF,00000008,?,?,?,?,00171434,?,00000000), ref: 00172633
                                        • LocalFree.KERNEL32(?,E71D449C,?,00000000,001B3C40,000000FF,00000008,?,?,?,?,00171434), ref: 00172647
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree$CloseHandle
                                        • String ID:
                                        • API String ID: 1291444452-0
                                        • Opcode ID: 7ba1dafe7d93745b9b06bfd03ae8658185e2d272fc02dc08d92ab5647e54895d
                                        • Instruction ID: 78ec9f4d53c6493183185e2121a1b218f9f4025948216bc5925f8802f2204647
                                        • Opcode Fuzzy Hash: 7ba1dafe7d93745b9b06bfd03ae8658185e2d272fc02dc08d92ab5647e54895d
                                        • Instruction Fuzzy Hash: 25411C726043119BC7149F78DC94AAAB7F9EF49360F10872AF52AC76D0DB30ED4687A0
                                        Function 001B1D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleOutputCP.KERNEL32(E71D449C,?,00000000,?), ref: 001B1DFE
                                          • Part of subcall function 001AA9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,001A6F5E,?,00000000,-00000008), ref: 001AAA67
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001B2059
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001B20A1
                                        • GetLastError.KERNEL32 ref: 001B2144
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                        • String ID:
                                        • API String ID: 2112829910-0
                                        • Opcode ID: 5a7ab944be64c5999bf889e3ffffa8943316d56f17577d7d564706efe8828022
                                        • Instruction ID: c340c75b31a4860a9e7c886a6501183de84c66a2012dd6d3a0f5cb8fe7fc2bab
                                        • Opcode Fuzzy Hash: 5a7ab944be64c5999bf889e3ffffa8943316d56f17577d7d564706efe8828022
                                        • Instruction Fuzzy Hash: DCD168B5D00248AFCF15CFA8D890AEEBBB5FF09314F18466AE925EB251D730A945CF50
                                        Function 00190116 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0019011D
                                        • collate.LIBCPMT ref: 00190126
                                          • Part of subcall function 0018EDF2: __EH_prolog3_GS.LIBCMT ref: 0018EDF9
                                          • Part of subcall function 0018EDF2: __Getcoll.LIBCPMT ref: 0018EE5D
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • __Getcoll.LIBCPMT ref: 0019016C
                                        • numpunct.LIBCPMT ref: 001903C4
                                          • Part of subcall function 00176330: LocalAlloc.KERNEL32(00000040,?,00180E04,00000020,?,?,00179942,00000000,E71D449C,?,?,?,?,001B50DD,000000FF), ref: 00176336
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                        • String ID:
                                        • API String ID: 259100098-0
                                        • Opcode ID: f6b8af86dccfd20ab44b68a34613c776db33330645c29e858f6fa02d5680d47e
                                        • Instruction ID: 37aca0e9208ec9b6e6e9d93e16865c8dcc7ed7773e6ae800bc395673ddd68060
                                        • Opcode Fuzzy Hash: f6b8af86dccfd20ab44b68a34613c776db33330645c29e858f6fa02d5680d47e
                                        • Instruction Fuzzy Hash: 2891C371D01211AFEB257BB58D46B7F7AB8EF65760F10842DF81DA7281DB708A01C7A2
                                        Function 00195A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 309e5309fa81660e0b2304da898640b8db46d75bcf570299f03689f46804cb4a
                                        • Instruction ID: 3dac976a76ed164b70e519d3afec6f72df99a29589d5c7a427ef6a2f6de4198f
                                        • Opcode Fuzzy Hash: 309e5309fa81660e0b2304da898640b8db46d75bcf570299f03689f46804cb4a
                                        • Instruction Fuzzy Hash: 8B51F472A01B069FDF2A8F54D851BBA77B7EF50314F14462DE906A72A1E731EC80C794
                                        Function 001A24E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 577a0dc51235d9a8f37a4d1fc9e9eb56093b8c7d6dc0882be9639f557f99a702
                                        • Instruction ID: 9c79fd7b377d77ec6d7e57a3423fd68858b99855e295657e92b360f17b4b9e97
                                        • Opcode Fuzzy Hash: 577a0dc51235d9a8f37a4d1fc9e9eb56093b8c7d6dc0882be9639f557f99a702
                                        • Instruction Fuzzy Hash: C521F079A04205AFDF24AF79DC65CAB77A8FF56364B008915FC15D7290EB30ED0097A0
                                        Function 00176FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00176FB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                        • API String ID: 1452528299-1781106413
                                        • Opcode ID: ad41bb0c4952a475c1a8a7e051441f79f076d24a7343118b153c608bbc0a134c
                                        • Instruction ID: c10b036afff5a260598d0f2f2382e0897cf27e32ac07620aeaabe61084e96a3b
                                        • Opcode Fuzzy Hash: ad41bb0c4952a475c1a8a7e051441f79f076d24a7343118b153c608bbc0a134c
                                        • Instruction Fuzzy Hash: 83219F59A1066182CB301F389411739A2F1FF64B54F64586FE8CDD7381EBA98CC283A1
                                        Function 0017F3D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0017F3E0
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017F3EA
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017F48E
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 0017F499
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                        • String ID:
                                        • API String ID: 4244582100-0
                                        • Opcode ID: 5267768c589ec2bae7f716cd870949e13ff48ef9e7b1800861e1846096331eeb
                                        • Instruction ID: b7f4bf469d89a28bf2e3dc4f68c3dedc3390ac3e3e8105f969697d6a35e40df5
                                        • Opcode Fuzzy Hash: 5267768c589ec2bae7f716cd870949e13ff48ef9e7b1800861e1846096331eeb
                                        • Instruction Fuzzy Hash: 1D212C34A0061AEFCB14EF14C851A6EB7B1FF48710F118569E91AAB7A1CB70EE51CF80
                                        Function 0017CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,E71D449C), ref: 0017CD1C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0017CD3C
                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0017CD6D
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0017CD86
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: 6121252853899c1bbd34c76ad3c574c6a4ded5896a4edcdeaf4bbe6c54bbbff9
                                        • Instruction ID: b36a4a06efd7fd6544f46c3011296094f1dcad4f1d46c208831efe677d89e494
                                        • Opcode Fuzzy Hash: 6121252853899c1bbd34c76ad3c574c6a4ded5896a4edcdeaf4bbe6c54bbbff9
                                        • Instruction Fuzzy Hash: 1B21B170945314ABD7209F54DC49FAABBB8EB45B24F20422AF504BB6D0D7B06A0487E4
                                        Function 001822FA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182301
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018230B
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018235C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018237C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 3606153080e5b2134632749dfdd65c0ba5d8bbd1bdebeda40c4e7470002f7a72
                                        • Instruction ID: 3244ceede7770d32bf98da2e8826cdc5a69b6586781cd5b720f99fb483c097d7
                                        • Opcode Fuzzy Hash: 3606153080e5b2134632749dfdd65c0ba5d8bbd1bdebeda40c4e7470002f7a72
                                        • Instruction Fuzzy Hash: 1A01C035900219DFCB06FB64E816AAEB771BFA8710F244519F914AB2D1CF749F448F90
                                        Function 0017D6BD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0017D6C4
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017D6CE
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0017D71F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017D73F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 965aef07910e8d17ed9e4a11678a0071bb6aa458f3d570315d1695418f1e8610
                                        • Instruction ID: 957f28749f10fc0c8d845ca31ff7f106ddc3566b88b0f02b7d0f9dea2d7a4f1e
                                        • Opcode Fuzzy Hash: 965aef07910e8d17ed9e4a11678a0071bb6aa458f3d570315d1695418f1e8610
                                        • Instruction Fuzzy Hash: 9E01D2359002199BCB1AFBA4E806AAE7B71BFA4714F248509F4186B2D2CF309E048B91
                                        Function 0018270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182714
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018271E
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018276F
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018278F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 5ecc7f86f5df66d5a0b1c8b7f5e485bce3f5933836a8a90f0867c343290c3448
                                        • Instruction ID: 2bf60807b9ddf31580d962cbb11eccc87a99ea109351bd20560a720b8536ee9e
                                        • Opcode Fuzzy Hash: 5ecc7f86f5df66d5a0b1c8b7f5e485bce3f5933836a8a90f0867c343290c3448
                                        • Instruction Fuzzy Hash: 9801D235900219DBCB06FB64D845AAE7771BFA4710F254509F824672D2CF70DF058F90
                                        Function 0017D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0017D759
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017D763
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0017D7B4
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017D7D4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: f0cd1696288a2164b85efe528f84420e4b6d131b0da09f0fd3e6ff650594bfb5
                                        • Instruction ID: 8dc04027d7dd941ef1d2abffb182e5e6a55095854d6318b11ae485791951a8cf
                                        • Opcode Fuzzy Hash: f0cd1696288a2164b85efe528f84420e4b6d131b0da09f0fd3e6ff650594bfb5
                                        • Instruction Fuzzy Hash: 1D01D2369002199FCB09FBA4E946AAE77B1AFA4714F248509F8196B2D1CF709E44CB91
                                        Function 001827A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 001827A9
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001827B3
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182804
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182824
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 34819fbf6a7146143f6e70bda3f7b0baabac8ed1877b87a18886f42cc807bd54
                                        • Instruction ID: fd1be86ae71cbd5b83b82e9effa57b801f7e872871d1121517f658554566a801
                                        • Opcode Fuzzy Hash: 34819fbf6a7146143f6e70bda3f7b0baabac8ed1877b87a18886f42cc807bd54
                                        • Instruction Fuzzy Hash: 8701DE359002199BCF06FBA4D805AAE77B1BFA8720F244509F9156B2D2CF309F05CF91
                                        Function 0017D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0017D7EE
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017D7F8
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0017D849
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0017D869
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 04c026074ae41fcc667f10c482e1840a6c48c8c998f51bd208d57c7ae77a259d
                                        • Instruction ID: 2543d99a31470c22041ca4ab81cc26e60636ffd4bdebc6f6cd26a63886e9fcb9
                                        • Opcode Fuzzy Hash: 04c026074ae41fcc667f10c482e1840a6c48c8c998f51bd208d57c7ae77a259d
                                        • Instruction Fuzzy Hash: 6B01D631900219DFCB15FBA4E846ABEB7B1AFA4720F248449F4196B2D1CF30DE458B92
                                        Function 00182837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018283E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182848
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182899
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 001828B9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 09ae228ef7a1fb2d6c0c9b82fc24e7f383b20ef7b5eaec63a1c5dabe2d708bbf
                                        • Instruction ID: 9565d86538cb4a0cea4768edc2d9ff08736e1bffb986c76b6a8c1a45a9500bbe
                                        • Opcode Fuzzy Hash: 09ae228ef7a1fb2d6c0c9b82fc24e7f383b20ef7b5eaec63a1c5dabe2d708bbf
                                        • Instruction Fuzzy Hash: 1F01A9359005299BCB06FBA4D905ABE77B1BFA4720F254519E414AB292CF709B048F91
                                        Function 001828CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 001828D3
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 001828DD
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018292E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018294E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: e5899b029bd63da71fad9a43e8eb5b5393f4b7707c72e3eda6e9ef4590372899
                                        • Instruction ID: 9d560badb3d1d30bd7f70c46f3016215b962b4023e491f4377392b6de9b5f06e
                                        • Opcode Fuzzy Hash: e5899b029bd63da71fad9a43e8eb5b5393f4b7707c72e3eda6e9ef4590372899
                                        • Instruction Fuzzy Hash: 3F0100359002298BCB06FB649851ABE77B1AFA4720F244508F42467292CF709F058F90
                                        Function 0018E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018E974
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018E97E
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018E9CF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018E9EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 3e28ceb335f4f502dd9e22f8b1b767c045587241dcecf20bd6f58673396bffad
                                        • Instruction ID: 0228c949d494ca1407b54dcbc27fe9278c9e9e2b48d2a865e4e7d4dcdfab2166
                                        • Opcode Fuzzy Hash: 3e28ceb335f4f502dd9e22f8b1b767c045587241dcecf20bd6f58673396bffad
                                        • Instruction Fuzzy Hash: E701DE35900129ABCB16FB64D806ABE7BB1AFA4714F254509F5146B2E2CFB09F048F91
                                        Function 0018EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018EA09
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018EA13
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018EA64
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018EA84
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: a5f017c3673d5b12d278cccbd7a4b243ed328cc9469bb1b0e0c341f64870cb18
                                        • Instruction ID: 1c2ee08493ea8b14c69250d36acf7768a687fc32c7aa37bb552911c708f2bcfa
                                        • Opcode Fuzzy Hash: a5f017c3673d5b12d278cccbd7a4b243ed328cc9469bb1b0e0c341f64870cb18
                                        • Instruction Fuzzy Hash: 7301D2359002199BCB19FB64D845AAEB7B1BFA4B10F254509F4146B2D2CF309F448F91
                                        Function 00182BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182BBC
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182BC6
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182C17
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182C37
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 816fcecda1f769583c3765ed0f4c3d7f6d0ac69af40f8ce4c00a1947da190021
                                        • Instruction ID: 7e2a3f48b09b6f89ac4bfc2446eaa9c8f313bd9a4774c0afb2348bcb25170e16
                                        • Opcode Fuzzy Hash: 816fcecda1f769583c3765ed0f4c3d7f6d0ac69af40f8ce4c00a1947da190021
                                        • Instruction Fuzzy Hash: 5301DE35900219DBCB1AFBA4E805ABEB7B1AFA4710F24451AF8146B2D2DF309F04CF91
                                        Function 0018EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018EBC8
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018EBD2
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018EC23
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018EC43
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 6884f74371bcf4ff598469bc1a3d1f2825245ddd00c546508428686bf9b3ae16
                                        • Instruction ID: 4d2ed1362b5950625a38f2caf4f5d2d43e19d469b2108a73d50e07916326097b
                                        • Opcode Fuzzy Hash: 6884f74371bcf4ff598469bc1a3d1f2825245ddd00c546508428686bf9b3ae16
                                        • Instruction Fuzzy Hash: CD01CC359001199BCB16FB649946ABE7BB1BFA4710F244949F418AB2D2CF30AF058F91
                                        Function 0018EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 0018EC5D
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0018EC67
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 0018ECB8
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0018ECD8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 1c98fdf19c17e28b0b5fe626647f4dbc3887ad6bb2f9a046a4868b016d92a452
                                        • Instruction ID: cb0cd8b0fc31da57e04b025e58fcd52d0517de3c243caf362437e008cdbe7f9d
                                        • Opcode Fuzzy Hash: 1c98fdf19c17e28b0b5fe626647f4dbc3887ad6bb2f9a046a4868b016d92a452
                                        • Instruction Fuzzy Hash: 7001CC35A00219DBCB06FB64D845AAEBBB1BFA4720F244419F4156B2D2CF309F458F91
                                        Function 00182C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182C51
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182C5B
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182CAC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182CCC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: fbc696848d6666c1762336ad38c347b4bd522d94fd7da18b2793c972636a91d1
                                        • Instruction ID: fe063f075e0ef1acee79b0f5909a8f0b539df118d26ad4f424fe5b0ba1871749
                                        • Opcode Fuzzy Hash: fbc696848d6666c1762336ad38c347b4bd522d94fd7da18b2793c972636a91d1
                                        • Instruction Fuzzy Hash: E801DE39901219DBCB16FBA4D905ABE77B1AFA4710F254409F4156B2D2CF709F048F90
                                        Function 00182CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182CE6
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182CF0
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182D41
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182D61
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: c4e9310c6bed1d7cafab9cf16006e0432ddbe90a05164fa50b97098599075a5c
                                        • Instruction ID: ea41af41d2fbc07d66cec144c145f155e3ea92cc28ef7a6990bdc05d17cb3c13
                                        • Opcode Fuzzy Hash: c4e9310c6bed1d7cafab9cf16006e0432ddbe90a05164fa50b97098599075a5c
                                        • Instruction Fuzzy Hash: CE01C0359002199BCB16FBA49945AAE7B71BFA4710F244609F414772D2CF709F05CF91
                                        Function 00182E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182E10
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182E1A
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182E6B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182E8B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 3fdb4acd700419141c69f31a0726798cb362bc0def0c6cb774f5cd0976ec1bc0
                                        • Instruction ID: dd021b745b8d47ec2ee29bcc8fa4aa54e7e7dcb5a801a65f74e599b0b4c2556e
                                        • Opcode Fuzzy Hash: 3fdb4acd700419141c69f31a0726798cb362bc0def0c6cb774f5cd0976ec1bc0
                                        • Instruction Fuzzy Hash: C601D236900119DBCB06FB64D805AAE77B1BFA4710F244909F814672D1CF709F448F90
                                        Function 00182E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182EA5
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182EAF
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182F00
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182F20
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 7fb42f07c87919e033afeebb66dfaf544c57df05a6bdb8ed02fd90c2f95edab8
                                        • Instruction ID: fdec731835a8ac45a33e9d40120ea86d1da658fcba0fffcf76114292faeade55
                                        • Opcode Fuzzy Hash: 7fb42f07c87919e033afeebb66dfaf544c57df05a6bdb8ed02fd90c2f95edab8
                                        • Instruction Fuzzy Hash: 1C01DE399002199BCB06FB64E805ABE77B1BFA4710F244519F5156B2D2DF709F04CF90
                                        Function 00182F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 00182F3A
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00182F44
                                          • Part of subcall function 00178C20: std::_Lockit::_Lockit.LIBCPMT ref: 00178C50
                                          • Part of subcall function 00178C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00178C78
                                        • std::_Facet_Register.LIBCPMT ref: 00182F95
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00182FB5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                        • String ID:
                                        • API String ID: 2854358121-0
                                        • Opcode ID: 18db79a660f50b514c3c0154fe694e324c9ce341b8418e687ca2f8b8e674bdde
                                        • Instruction ID: dffa780334376d0de7a7f89a22ae4390073b3b5b221237e0fa61254304235b1f
                                        • Opcode Fuzzy Hash: 18db79a660f50b514c3c0154fe694e324c9ce341b8418e687ca2f8b8e674bdde
                                        • Instruction Fuzzy Hash: 1A01CC35900219DBCB06FB649806ABEBBB1BFA4710F244509F914AB292CF309F44CF90
                                        Function 001B3686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,001B3053,?,00000001,?,?,?,001B2198,?,?,00000000), ref: 001B369D
                                        • GetLastError.KERNEL32(?,001B3053,?,00000001,?,?,?,001B2198,?,?,00000000,?,?,?,001B271F,?), ref: 001B36A9
                                          • Part of subcall function 001B366F: CloseHandle.KERNEL32(FFFFFFFE,001B36B9,?,001B3053,?,00000001,?,?,?,001B2198,?,?,00000000,?,?), ref: 001B367F
                                        • ___initconout.LIBCMT ref: 001B36B9
                                          • Part of subcall function 001B3631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001B3660,001B3040,?,?,001B2198,?,?,00000000,?), ref: 001B3644
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,001B3053,?,00000001,?,?,?,001B2198,?,?,00000000,?), ref: 001B36CE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: 38db6d7dda72ae236d7ce93f079934d080f278764c33cc3d9943142810accc53
                                        • Instruction ID: 4eef18448ff5e98692230a454a3766ac27aaecb788430b7bb583953189c90808
                                        • Opcode Fuzzy Hash: 38db6d7dda72ae236d7ce93f079934d080f278764c33cc3d9943142810accc53
                                        • Instruction Fuzzy Hash: 17F01C36504118BBCF226F99DC08DCD3F66FB593A1B004150FE2996660D732CAB0EB90
                                        Function 00192D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,00192CBD,00000064), ref: 00192D43
                                        • LeaveCriticalSection.KERNEL32(001CDD3C,?,?,00192CBD,00000064,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192D4D
                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00192CBD,00000064,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192D5E
                                        • EnterCriticalSection.KERNEL32(001CDD3C,?,00192CBD,00000064,?,?,?,001723B6,001CE638,E71D449C,?,?,001B3D6D,000000FF), ref: 00192D65
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID:
                                        • API String ID: 3269011525-0
                                        • Opcode ID: 4e72c77f205afcffb725af3fda5d1ec57c004aaf361097f84d3d75d011b835e6
                                        • Instruction ID: 8b69688569c6fa17cefe2a5e1162cd6abeb285d22a884a8b30bd3bb4594ceac0
                                        • Opcode Fuzzy Hash: 4e72c77f205afcffb725af3fda5d1ec57c004aaf361097f84d3d75d011b835e6
                                        • Instruction Fuzzy Hash: EFE09232945524BBCB122FC4FC08EAA3F39AF45F11B000065F506665F1CB6089808BD1
                                        Function 0017EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0017EC8E
                                          • Part of subcall function 0017D87C: __EH_prolog3.LIBCMT ref: 0017D883
                                          • Part of subcall function 0017D87C: std::_Lockit::_Lockit.LIBCPMT ref: 0017D88D
                                          • Part of subcall function 0017D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 0017D8FE
                                        • _Find_elem.LIBCPMT ref: 0017EE8A
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 0017ECF6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 2544715827-2799312399
                                        • Opcode ID: 1388363724b6492f5546320b15d1212a86fa2b598a2f9e1a6a0d34697978b7ad
                                        • Instruction ID: 43ed6b295706b4c11bba94dcd423bb09bd8adca923df6222a094632b30386459
                                        • Opcode Fuzzy Hash: 1388363724b6492f5546320b15d1212a86fa2b598a2f9e1a6a0d34697978b7ad
                                        • Instruction Fuzzy Hash: CDC16234E042889EDF25DFA4C5507ECBBF2AF59304F2484E9E8996B287CB319D46CB51
                                        Function 001862BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 001862C8
                                          • Part of subcall function 00182D74: __EH_prolog3.LIBCMT ref: 00182D7B
                                          • Part of subcall function 00182D74: std::_Lockit::_Lockit.LIBCPMT ref: 00182D85
                                          • Part of subcall function 00182D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00182DF6
                                        • _Find_elem.LIBCPMT ref: 00186502
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 0018633F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 2544715827-2799312399
                                        • Opcode ID: 9d3ee15bcfcdaa9c553d1db9cedb0a73651665432b5bc4b9ba4e938f1b032b0b
                                        • Instruction ID: 56bd2fab71edd92cb6b5e53f6654ff97caaeea8776febb80a62dc525d82bf5ed
                                        • Opcode Fuzzy Hash: 9d3ee15bcfcdaa9c553d1db9cedb0a73651665432b5bc4b9ba4e938f1b032b0b
                                        • Instruction Fuzzy Hash: AFC17370E042688BDF25FF64C8517BCBBB2BF55304F548099E889AB286DB349E85CF50
                                        Function 00186694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018669E
                                          • Part of subcall function 0017B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0017B8DD
                                          • Part of subcall function 0017B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0017B900
                                          • Part of subcall function 0017B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0017B928
                                          • Part of subcall function 0017B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0017B9B7
                                        • _Find_elem.LIBCPMT ref: 001868D8
                                        Strings
                                        • 0123456789ABCDEFabcdef-+Xx, xrefs: 00186715
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                        • String ID: 0123456789ABCDEFabcdef-+Xx
                                        • API String ID: 3042121994-2799312399
                                        • Opcode ID: 7d87ebc7cc6908a316117a540403b86e02bb6a20590f6ecae8234c7eccf825b7
                                        • Instruction ID: 7898cf818a2103f98d5f24420a31900d41f84a4b3337c61ab816a0bc83208690
                                        • Opcode Fuzzy Hash: 7d87ebc7cc6908a316117a540403b86e02bb6a20590f6ecae8234c7eccf825b7
                                        • Instruction Fuzzy Hash: 1CC16230E042688FDF25EF64C9957BCBBB2BF51304F548099D889AB286DB349E85DF50
                                        Function 001A1A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 001A1AFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 71e01d1699fdca1bd10c3e0db17386974d7746b59f09ddd91fa54a2cd3ad7e7a
                                        • Instruction ID: da0dbdbb40b14f374d406a537e603bf6392a8d3d74bfe57ab3fcfe20e4b6eae4
                                        • Opcode Fuzzy Hash: 71e01d1699fdca1bd10c3e0db17386974d7746b59f09ddd91fa54a2cd3ad7e7a
                                        • Instruction Fuzzy Hash: 4951796DA09201EACF157B14C9013BA7BB0FF53710FA08959F0C1822E9EB328CD5DA97
                                        Function 00191E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 3732870572-1956417402
                                        • Opcode ID: ae45d943aef1460f52f9488630f5a7d7edad73ea7c8c48723d39b5f63e4a902c
                                        • Instruction ID: aa386dc516d85f6a2c931dc7c2bfc257dd9ba9b5ed12c5fc5925df9a3b476d18
                                        • Opcode Fuzzy Hash: ae45d943aef1460f52f9488630f5a7d7edad73ea7c8c48723d39b5f63e4a902c
                                        • Instruction Fuzzy Hash: 0E51F730B0424ABBDF298F7C84917BEBBF9AF06740F18445AE891D7241C3709D85C761
                                        Function 0017BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 0017BF6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID: false$true
                                        • API String ID: 118556049-2658103896
                                        • Opcode ID: 62235a21fa9a9a6d31e50a53ede017fbb897e6f84a8b955417f090dff9aa0a06
                                        • Instruction ID: 222e85c9c5118de906f334bc3d974a0f537f241d7e429092047c9987cdaef1cb
                                        • Opcode Fuzzy Hash: 62235a21fa9a9a6d31e50a53ede017fbb897e6f84a8b955417f090dff9aa0a06
                                        • Instruction Fuzzy Hash: 8D51D7B5D00748DFDB10DFA4C841BEEB7B8FF19304F14826AE845AB641E774AA85CB91
                                        Function 001770A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 0-3019864461
                                        • Opcode ID: ac3d1b422d80a74a895ff590f74af5663d306a369f38eebf24001c30231de568
                                        • Instruction ID: 57f819bcca91c941f148a6f5c72c560cad38156d6444c8a69dd7d58368dbd416
                                        • Opcode Fuzzy Hash: ac3d1b422d80a74a895ff590f74af5663d306a369f38eebf24001c30231de568
                                        • Instruction Fuzzy Hash: 1651E171A14204ABDF14DF64C895FAEB7B5FFA4304F50851DE405B76C1DBB4A984CBA0
                                        Function 0018D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018D501
                                        • _swprintf.LIBCMT ref: 0018D573
                                          • Part of subcall function 0018254E: __EH_prolog3.LIBCMT ref: 00182555
                                          • Part of subcall function 0018254E: std::_Lockit::_Lockit.LIBCPMT ref: 0018255F
                                          • Part of subcall function 0018254E: std::_Lockit::~_Lockit.LIBCPMT ref: 001825D0
                                          • Part of subcall function 00182FC8: __EH_prolog3.LIBCMT ref: 00182FCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 3050236999-1402515088
                                        • Opcode ID: 949853a9221fff1d15e19c82d47046ce38ce77f201944a440c1873eab7c8fcbc
                                        • Instruction ID: 38e155f8ae88c45334568408814e453e15fec3d71f5cd90ff9d6364bbb8859e5
                                        • Opcode Fuzzy Hash: 949853a9221fff1d15e19c82d47046ce38ce77f201944a440c1873eab7c8fcbc
                                        • Instruction Fuzzy Hash: A0416A71E00309ABCF09EFE0D845AED7BB5FF58304F208549E846AB295EB359A15CF90
                                        Function 0018D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0018D7A5
                                        • _swprintf.LIBCMT ref: 0018D817
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178657
                                          • Part of subcall function 00178610: std::_Lockit::_Lockit.LIBCPMT ref: 00178679
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 001786A1
                                          • Part of subcall function 00178610: std::_Lockit::~_Lockit.LIBCPMT ref: 0017880E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 1487807907-1402515088
                                        • Opcode ID: 7b915dbb3a436375dce5f019983593f33a8d2a8d525d324b6e4597d55b88cc9b
                                        • Instruction ID: 0614ca78944e15edacb2dd7506f2905b9dc96bef6d3181ef535bf1424f659939
                                        • Opcode Fuzzy Hash: 7b915dbb3a436375dce5f019983593f33a8d2a8d525d324b6e4597d55b88cc9b
                                        • Instruction Fuzzy Hash: 2E417B71E00319ABCF09EFE4D845AED7BB5FF18300F208559E846AB295EB359A15CF90
                                        Function 00191887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3_GS.LIBCMT ref: 0019188E
                                        • _swprintf.LIBCMT ref: 00191900
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792A0
                                          • Part of subcall function 00179270: std::_Lockit::_Lockit.LIBCPMT ref: 001792C2
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 001792EA
                                          • Part of subcall function 00179270: std::_Lockit::~_Lockit.LIBCPMT ref: 00179422
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                        • String ID: %.0Lf
                                        • API String ID: 1487807907-1402515088
                                        • Opcode ID: f7c847e778c03580ea6a807e462aa9b121a48889883036ea5992c40d0ca279b9
                                        • Instruction ID: 12ade17d806a4390a131a53d07cdfb4cc0f4825e40a6399119067a95b8d1848c
                                        • Opcode Fuzzy Hash: f7c847e778c03580ea6a807e462aa9b121a48889883036ea5992c40d0ca279b9
                                        • Instruction Fuzzy Hash: D3418971E00209ABCF09EFE0C854AED7BB5FF18304F208549E846AB291DB35AA55DF90
                                        Function 00196059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0019607E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: MOC$RCC
                                        • API String ID: 2118026453-2084237596
                                        • Opcode ID: b5691b24cdf7b77074ad507b9b787dfb538d7d2ec4a8657252c6d85471a1c83d
                                        • Instruction ID: f68b2d156720bd406880deb4e7c9c64f18cb42bbc1b4c49d1b0cc9dffae696a5
                                        • Opcode Fuzzy Hash: b5691b24cdf7b77074ad507b9b787dfb538d7d2ec4a8657252c6d85471a1c83d
                                        • Instruction Fuzzy Hash: 87416A71900209EFCF16DF98CD81AEEBBB6FF88304F188169F908A7252D3359951DB61
                                        Function 0018DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: H_prolog3___cftoe
                                        • String ID: !%x
                                        • API String ID: 855520168-1893981228
                                        • Opcode ID: e5afae42f9ab0df2fa9dab25d2971aa6a61e66e9bd973e38fb9d4b4f05ef6019
                                        • Instruction ID: 490b67be5197d4647b2fbac0a4cff31ad10b947ee8492d797e6abd10bbddfb76
                                        • Opcode Fuzzy Hash: e5afae42f9ab0df2fa9dab25d2971aa6a61e66e9bd973e38fb9d4b4f05ef6019
                                        • Instruction Fuzzy Hash: 74314671E00209EBDF04EF94E981AEEB7B6FF18304F204819F905A7251DB75AA46CF64
                                        Function 001919FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: H_prolog3___cftoe
                                        • String ID: !%x
                                        • API String ID: 855520168-1893981228
                                        • Opcode ID: df583f4a8fae6e0864d50de2a90eb2679e57bf81553dc0ed7abdb59b6fb4c7b3
                                        • Instruction ID: 1137d1bc62271d53560c9a7df00dc02df1d58e7870643a7c143088e221643604
                                        • Opcode Fuzzy Hash: df583f4a8fae6e0864d50de2a90eb2679e57bf81553dc0ed7abdb59b6fb4c7b3
                                        • Instruction Fuzzy Hash: 8A318D72D1528DAFEF04DF98D881AEEBBB5FF19300F144019F845A7242D7759A85CBA0
                                        Function 00175F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00175F86
                                        • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,E71D449C), ref: 00175FF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: ConvertFreeLocalString
                                        • String ID: Invalid SID
                                        • API String ID: 3201929900-130637731
                                        • Opcode ID: da78e3fd65eac2b5ba6d4844d238eaa72510cc5a1b7ac756c3f3f3de974f3748
                                        • Instruction ID: 3fadbe374b19ea8d8073a2eec4eb3a329b7d430bad10fc34f28e50b3da59409a
                                        • Opcode Fuzzy Hash: da78e3fd65eac2b5ba6d4844d238eaa72510cc5a1b7ac756c3f3f3de974f3748
                                        • Instruction Fuzzy Hash: A821C074A04605DBDB14DF58C815BAFBBF9FF44714F104A1EE405A7780D7B6AA448BD0
                                        Function 00179070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0017909B
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001790FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                        • String ID: bad locale name
                                        • API String ID: 3988782225-1405518554
                                        • Opcode ID: fc9bfb73a774e500bece6a692582fbb080842d65a47be411f91e31cf18184264
                                        • Instruction ID: 3b79ae7b949863cdc3169f5dcee94b02001406603693d5ebfe8e8b6017bc8082
                                        • Opcode Fuzzy Hash: fc9bfb73a774e500bece6a692582fbb080842d65a47be411f91e31cf18184264
                                        • Instruction Fuzzy Hash: F221C370905784DED721CFA8C904B4BBFF4EF29710F10869DE49997781D3B5A608CBA1
                                        Function 0017F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: false$true
                                        • API String ID: 2427045233-2658103896
                                        • Opcode ID: 7b0863c6191153510a85553f682c13599e2f02a751b4f299ebb97ba5fafcb38d
                                        • Instruction ID: 8444e921fda7f2617011befc0b7307feacafbc97fa347803a612ef8e50db7527
                                        • Opcode Fuzzy Hash: 7b0863c6191153510a85553f682c13599e2f02a751b4f299ebb97ba5fafcb38d
                                        • Instruction Fuzzy Hash: E5119075941B44AEC724EFB4D841B8AB7F4AF29300F14C52EF4A69B641EB30E605CB90
                                        Function 0017D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0017C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,E71D449C,?,001B3D30,000000FF), ref: 0017C657
                                          • Part of subcall function 0017C630: GetLastError.KERNEL32(?,00000000,00000000,E71D449C,?,001B3D30,000000FF), ref: 0017C661
                                        • IsDebuggerPresent.KERNEL32(?,?,001C8AF0), ref: 0017D0D8
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,001C8AF0), ref: 0017D0E7
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0017D0E2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 3511171328-631824599
                                        • Opcode ID: a6043e52719147c4e478cd3ad441ed423bff3cce3e2a10035e38cfe4194e7b30
                                        • Instruction ID: ea08b46addb80744a651f18ca63a1d07ce7b10386e13f96af0cdfe2bf2ecaacb
                                        • Opcode Fuzzy Hash: a6043e52719147c4e478cd3ad441ed423bff3cce3e2a10035e38cfe4194e7b30
                                        • Instruction Fuzzy Hash: A4E092B02047518FD320AF38E5047827BF0AF55340F04C99DF449E2780D7B0D4888BA1
                                        Function 00174070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalFree.KERNEL32(00000000,00174261,001B4400,000000FF,E71D449C,00000000,?,00000000,?,?,?,001B4400,000000FF,?,00173A75,?), ref: 00174096
                                        • LocalAlloc.KERNEL32(00000040,40000022,E71D449C,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00174154
                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,E71D449C,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00174177
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00174217
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree
                                        • String ID:
                                        • API String ID: 2012307162-0
                                        • Opcode ID: 78506eb906f7e2539b15ec13b67a52cb70f9992fd9252fbcf5a24f89a0848b87
                                        • Instruction ID: ac8dcdceb34aa07e629c347e146d9de6e9e714477ee67489aadf63aefe5e3583
                                        • Opcode Fuzzy Hash: 78506eb906f7e2539b15ec13b67a52cb70f9992fd9252fbcf5a24f89a0848b87
                                        • Instruction Fuzzy Hash: 4651AEB5A002059FDB18DF6CD885AAEBBB5FB48350F14862DF929E7381D730AD50CB90
                                        Function 00171D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00171E01
                                        • LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00171E21
                                        • LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00171EA7
                                        • LocalFree.KERNEL32(00000001,E71D449C,00000000,00000000,001B3C40,000000FF,?,00000000), ref: 00171F2D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1770339996.0000000000171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00170000, based on PE: true
                                        • Associated: 00000005.00000002.1770298597.0000000000170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770418622.00000000001B7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770476643.00000000001CC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000005.00000002.1770522235.00000000001D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_170000_MSI706F.jbxd
                                        Similarity
                                        • API ID: Local$AllocFree
                                        • String ID:
                                        • API String ID: 2012307162-0
                                        • Opcode ID: 4fea0bee2b48c9e5c23efdc786ecc291a7e97dc09a72ddac74eebc3a43955c59
                                        • Instruction ID: ce5102205e6dec9cb3028dc9fa3cdff60a98ba32addde1c70ccdc58a02d9048a
                                        • Opcode Fuzzy Hash: 4fea0bee2b48c9e5c23efdc786ecc291a7e97dc09a72ddac74eebc3a43955c59
                                        • Instruction Fuzzy Hash: B251D272508215AFC725DF2CDC40A6AB7F9FB89350F114A2EF86AD7690DB30E9448B91

                                        Execution Graph

                                        Execution Coverage:0.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:391
                                        Total number of Limit Nodes:24
                                        execution_graph 71330 f8e41a 71335 f8e39e 71330->71335 71333 f8e45c _amsg_exit 71334 f8e464 71333->71334 71338 f8e2f9 71335->71338 71337 f8e3ab __wgetmainargs 71337->71333 71337->71334 71345 f8e8ec 71338->71345 71340 f8e305 _decode_pointer 71341 f8e328 7 API calls 71340->71341 71342 f8e31c _onexit 71340->71342 71346 f8e395 _unlock 71341->71346 71343 f8e38c __onexit 71342->71343 71343->71337 71345->71340 71346->71343 71347 fee66d 71348 fee67d 71347->71348 71349 fee678 ___security_init_cookie 71347->71349 71352 fee557 71348->71352 71349->71348 71351 fee68b 71353 fee563 71352->71353 71354 fee331 __CRT_INIT@12 21 API calls 71353->71354 71357 fee5be 71353->71357 71359 fee58a 71353->71359 71354->71357 71355 fee5ee 71355->71359 71360 fee331 71355->71360 71357->71355 71358 fee331 __CRT_INIT@12 21 API calls 71357->71358 71357->71359 71358->71355 71359->71351 71361 fee33f 71360->71361 71362 fee368 71361->71362 71366 fee43c 71361->71366 71383 fee383 71361->71383 71363 fee39b InterlockedCompareExchange 71362->71363 71364 fee3a3 71362->71364 71368 fee38e Sleep 71362->71368 71363->71362 71363->71364 71369 fee3b8 _amsg_exit 71364->71369 71370 fee3c1 _initterm_e 71364->71370 71365 fee46e InterlockedCompareExchange 71365->71366 71367 fee478 71365->71367 71366->71365 71366->71367 71371 fee463 Sleep 71366->71371 71366->71383 71374 fee48b _amsg_exit 71367->71374 71375 fee498 _decode_pointer 71367->71375 71368->71363 71372 fee3fd 71369->71372 71373 fee3e7 _initterm 71370->71373 71370->71383 71371->71365 71376 fee40d 71372->71376 71377 fee405 InterlockedExchange 71372->71377 71373->71372 71374->71383 71378 fee539 71375->71378 71379 fee4b2 _decode_pointer 71375->71379 71382 fee415 __IsNonwritableInCurrentImage 71376->71382 71376->71383 71377->71376 71380 fee545 InterlockedExchange 71378->71380 71378->71383 71381 fee4c6 71379->71381 71380->71383 71384 fee51f free _encoded_null 71381->71384 71385 fee4d3 _encoded_null 71381->71385 71382->71383 71383->71359 71384->71378 71385->71381 71386 fee4dd _decode_pointer _encoded_null 71385->71386 71389 feda60 71386->71389 71390 feda7e _decode_pointer _decode_pointer 71389->71390 71391 feda71 HeapDestroy 71389->71391 71390->71381 71391->71390 71392 e42b30 71397 ecf250 71392->71397 71396 e42b6f 71401 ecffc0 71397->71401 71400 e42a70 16 API calls 71400->71396 71403 e42b38 71401->71403 71405 ecffce 71401->71405 71403->71396 71403->71400 71405->71403 71407 ed0090 71405->71407 71413 ed01c0 ?_query_new_mode@ 71405->71413 71414 ecf1e0 ?_query_new_handler@@YAP6AHI 71405->71414 71408 ed0099 71407->71408 71415 e4dd80 71408->71415 71412 ed00b2 71412->71405 71413->71405 71414->71405 71416 e4ddcc 71415->71416 71417 e4dda9 codecvt 71415->71417 71418 e4de16 71416->71418 71426 ecf350 71416->71426 71432 ed0877 10 API calls __onexit 71417->71432 71423 ecf420 71418->71423 71424 ecf438 codecvt 71423->71424 71425 ecf44f HeapAlloc 71424->71425 71425->71412 71427 ecf3bb GetProcessHeap 71426->71427 71428 ecf36b HeapCreate 71426->71428 71430 e4de0c 71427->71430 71428->71430 71431 ecf39d HeapSetInformation 71428->71431 71433 ed0877 10 API calls __onexit 71430->71433 71431->71430 71432->71416 71433->71418 71434 fd02b8 71437 fed8f0 71434->71437 71440 fedd30 71437->71440 71439 fd02c3 71441 fedd3a 71440->71441 71445 fedd48 71440->71445 71446 fedbd0 71441->71446 71443 fedd43 71443->71439 71445->71443 71450 fd2a10 71445->71450 71447 fedbda 71446->71447 71449 fedbde 71446->71449 71447->71443 71449->71447 71454 fedca0 71449->71454 71451 fd2a39 71450->71451 71452 fd2a9c 71451->71452 71463 fed9d0 71451->71463 71452->71445 71455 fedca9 71454->71455 71456 fd2a10 3 API calls 71455->71456 71457 fedcbb 71456->71457 71460 fedaa0 71457->71460 71459 fedcc2 71459->71449 71461 fedab8 71460->71461 71462 fedacf RtlAllocateHeap 71461->71462 71462->71459 71464 feda3b GetProcessHeap 71463->71464 71465 fed9eb HeapCreate 71463->71465 71466 feda39 71464->71466 71465->71466 71468 feda1d HeapSetInformation 71465->71468 71466->71452 71468->71466 71469 e50630 71470 e50641 XLFS_Init 71469->71470 71471 e5078a 71469->71471 71472 e50656 71470->71472 71473 e50677 71472->71473 71474 e50688 71472->71474 71530 e79030 16 API calls 71473->71530 71531 e79010 16 API calls 71474->71531 71477 e50686 71478 e506c7 71477->71478 71479 e506a7 71477->71479 71535 e47010 16 API calls 71478->71535 71532 e47050 16 API calls 71479->71532 71482 e506ac 71533 e4c280 16 API calls 71482->71533 71483 e506cc 71536 e666e0 16 API calls allocator 71483->71536 71486 e506b6 71534 e66710 16 API calls allocator 71486->71534 71487 e506d6 71537 e4c280 16 API calls 71487->71537 71490 e506c0 71506 ecf120 71490->71506 71493 ecf120 allocator 16 API calls 71494 e50711 71493->71494 71511 e4d7b0 24 API calls 71494->71511 71496 e50758 71512 e7ec90 memset 71496->71512 71498 e50764 XL_IsRenderModeEnabled 71538 e7b9a0 71498->71538 71502 e5077d 71545 e7f7b0 16 API calls 71502->71545 71504 e50783 71505 ecf250 16 API calls 71504->71505 71505->71471 71508 ecf124 allocator 71506->71508 71507 ecffc0 allocator 16 API calls 71507->71508 71508->71507 71509 e506ec 71508->71509 71546 ecf1e0 ?_query_new_handler@@YAP6AHI 71508->71546 71509->71493 71511->71496 71547 ecfd70 71512->71547 71515 e7ed01 71553 e7f260 10 API calls _Immortalize 71515->71553 71516 e7eceb 71551 e7f260 10 API calls _Immortalize 71516->71551 71519 e7ecf4 71552 e7f450 62 API calls 2 library calls 71519->71552 71520 e7ed08 71554 e7f450 62 API calls 2 library calls 71520->71554 71523 e7ecfb 71555 e7fad0 10 API calls _Immortalize 71523->71555 71525 e7ed16 71556 e7fbe0 64 API calls 2 library calls 71525->71556 71527 e7ed1d 71557 ed068e 7 API calls 71527->71557 71529 e7ed2d 71529->71498 71530->71477 71531->71477 71532->71482 71533->71486 71534->71490 71535->71483 71536->71487 71537->71490 71539 e7b9ad 71538->71539 71540 e50776 71538->71540 71558 e7b460 memset 71539->71558 71544 e7bc80 24 API calls allocator 71540->71544 71542 e7b9bd 71559 ed0877 10 API calls __onexit 71542->71559 71544->71502 71545->71504 71546->71508 71548 e7ecca PathAppendW PathFileExistsW 71547->71548 71549 ecfd79 71547->71549 71548->71515 71548->71516 71549->71548 71550 ecfd83 GetModuleFileNameW 71549->71550 71550->71548 71551->71519 71552->71523 71553->71520 71554->71523 71555->71525 71556->71527 71557->71529 71558->71542 71559->71540 71563 e7c8b0 71564 ecf120 allocator 16 API calls 71563->71564 71565 e7c8b7 71564->71565 71566 e7c380 memset 71583 e7c2b0 memset SystemParametersInfoW 71566->71583 71569 e7c446 71572 e7c454 wcsncpy 71569->71572 71582 e7c443 71569->71582 71570 e7c3cd _wcsicmp 71570->71569 71571 e7c3e0 _wcsicmp 71570->71571 71571->71569 71574 e7c3f3 71571->71574 71595 ed068e 7 API calls 71572->71595 71592 e7c1f0 12 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 71574->71592 71575 e7c473 71577 e7c409 71577->71569 71593 e7c1f0 12 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 71577->71593 71579 e7c426 71579->71569 71580 e7c42d 71579->71580 71594 e7c1f0 12 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 71580->71594 71582->71569 71582->71572 71584 e7b9a0 11 API calls 71583->71584 71585 e7c303 71584->71585 71596 e7bc10 ldiv 71585->71596 71587 e7c30a 71588 e7c316 71587->71588 71589 e7c31b wcsncpy 71587->71589 71588->71589 71597 ed068e 7 API calls 71589->71597 71591 e7c338 _wcsicmp 71591->71569 71591->71570 71592->71577 71593->71579 71594->71582 71595->71575 71596->71587 71597->71591 71598 ed0e26 71599 ed0e36 71598->71599 71600 ed0e31 71598->71600 71604 ed0d10 71599->71604 71612 ed1276 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 71600->71612 71603 ed0e44 71605 ed0d1c ___DllMainCRTStartup 71604->71605 71606 ed0d43 ___DllMainCRTStartup 71605->71606 71607 ed0aea __CRT_INIT@12 20 API calls 71605->71607 71609 ed0d77 ___DllMainCRTStartup 71605->71609 71606->71603 71607->71609 71609->71606 71610 ed0aea __CRT_INIT@12 20 API calls 71609->71610 71611 ed0da7 71609->71611 71610->71611 71611->71606 71613 ed0aea 71611->71613 71612->71599 71614 ed0af8 71613->71614 71615 ed0b21 71614->71615 71620 ed0bf5 71614->71620 71632 ed0b3c __IsNonwritableInCurrentImage 71614->71632 71616 ed0b54 InterlockedCompareExchange 71615->71616 71617 ed0b5c 71615->71617 71619 ed0b47 Sleep 71615->71619 71616->71615 71616->71617 71622 ed0b7a _initterm_e 71617->71622 71623 ed0b71 _amsg_exit 71617->71623 71618 ed0c27 InterlockedCompareExchange 71618->71620 71621 ed0c31 71618->71621 71619->71616 71620->71618 71620->71621 71624 ed0c1c Sleep 71620->71624 71620->71632 71625 ed0c44 _amsg_exit 71621->71625 71626 ed0c51 _decode_pointer 71621->71626 71628 ed0ba0 _initterm 71622->71628 71622->71632 71627 ed0bb6 71623->71627 71624->71618 71625->71632 71630 ed0c6b _decode_pointer 71626->71630 71631 ed0cf2 71626->71631 71629 ed0bbe InterlockedExchange 71627->71629 71627->71632 71628->71627 71629->71632 71633 ed0c7f 71630->71633 71631->71632 71634 ed0cfe InterlockedExchange 71631->71634 71632->71606 71635 ed0cd8 free _encoded_null 71633->71635 71636 ed0c8c _encoded_null 71633->71636 71634->71632 71635->71631 71636->71633 71637 ed0c96 _decode_pointer _encoded_null 71636->71637 71640 ecf3e0 71637->71640 71641 ecf3fe _decode_pointer _decode_pointer 71640->71641 71642 ecf3f1 HeapDestroy 71640->71642 71641->71633 71642->71641 71643 fc3c70 71644 fc3cc3 71643->71644 71648 fc3c7d 71643->71648 71645 fc3ccc ?_Xlen@_String_base@std@ 71644->71645 71646 fc3cd2 71644->71646 71645->71646 71649 fc3ce5 71646->71649 71655 fc3420 71646->71655 71648->71644 71651 fc3ca6 71648->71651 71650 fc3d23 memcpy_s 71649->71650 71652 fc3cfd 71649->71652 71650->71652 71661 fc3580 10 API calls 71651->71661 71654 fc3cbd 71656 fc345d 71655->71656 71662 fec960 71656->71662 71658 fc34e9 71658->71649 71660 fc34d6 memcpy_s 71660->71658 71661->71654 71664 fec964 71662->71664 71663 fedbd0 4 API calls 71663->71664 71664->71663 71665 fc3493 71664->71665 71665->71658 71665->71660 71666 fd38f0 71667 fd391b 71666->71667 71669 fd3922 71666->71669 71668 fec960 4 API calls 71667->71668 71668->71669 71670 f8e465 71690 f8e8ec 71670->71690 71672 f8e471 GetStartupInfoW 71673 f8e4a2 InterlockedCompareExchange 71672->71673 71674 f8e4af 71673->71674 71676 f8e4b3 71673->71676 71675 f8e4bb Sleep 71674->71675 71674->71676 71675->71673 71677 f8e4de 71676->71677 71678 f8e4d4 _amsg_exit 71676->71678 71679 f8e507 71677->71679 71680 f8e4e7 _initterm_e 71677->71680 71678->71679 71681 f8e531 71679->71681 71682 f8e516 _initterm 71679->71682 71680->71679 71684 f8e502 __onexit 71680->71684 71683 f8e536 InterlockedExchange 71681->71683 71686 f8e53e __IsNonwritableInCurrentImage 71681->71686 71682->71681 71683->71686 71686->71684 71687 f8e60e 71686->71687 71688 f8e5c2 exit 71686->71688 71691 f82320 CoInitialize DefWindowProcW InitCommonControlsEx 71686->71691 71687->71684 71689 f8e616 _cexit 71687->71689 71688->71686 71689->71684 71690->71672 71705 f81600 71691->71705 71697 f82376 71698 f823bc 71697->71698 71699 f82398 71697->71699 71700 f8238c free 71697->71700 71752 f81410 #64 DeleteCriticalSection 71698->71752 71702 f823ac ??3@YAXPAX 71699->71702 71703 f8239f free 71699->71703 71700->71699 71702->71698 71703->71702 71704 f823c1 CoUninitialize 71704->71686 71706 f81630 71705->71706 71707 f8163b GetCurrentThreadId ??2@YAPAXI 71706->71707 71708 f8165d 71706->71708 71707->71708 71709 f81f20 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W 71708->71709 71710 f81f8d CreateMutexW 71709->71710 71711 f81f86 71709->71711 71712 f8204f EnterCriticalSection GetCurrentThreadId 71710->71712 71713 f81fa1 GetLastError 71710->71713 71711->71710 71753 f82510 _recalloc _recalloc 71712->71753 71713->71712 71714 f81fb2 CloseHandle FindWindowW 71713->71714 71716 f81fcb ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W ??2@YAPAXI 71714->71716 71717 f82030 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71714->71717 71719 f8200d 71716->71719 71720 f82011 SendMessageW ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71716->71720 71721 f822af 71717->71721 71719->71720 71720->71717 71809 f8e222 71721->71809 71724 f822cf 71751 f81760 EnterCriticalSection DestroyWindow free ??3@YAXPAX 71724->71751 71726 f820fa XLFS_Init XLUE_InitLoader XLLRT_GetEnv 71786 f89c5c 71726->71786 71727 f820f3 exit 71727->71726 71737 f82139 7 API calls 71738 f821dd 71737->71738 71739 f821e4 XLUE_AddXARSearchPath XLUE_LoadXAR 71737->71739 71738->71739 71740 f82202 71739->71740 71741 f82236 71740->71741 71806 f81ee0 34 API calls 71740->71806 71807 f814b0 PeekMessageW GetMessageW TranslateMessage DispatchMessageW 71741->71807 71744 f8223f 71808 f816c0 7 API calls 71744->71808 71746 f82246 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71747 f82269 free 71746->71747 71748 f82273 71746->71748 71747->71748 71749 f8228d ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71748->71749 71750 f82283 free 71748->71750 71749->71721 71750->71749 71751->71697 71752->71704 71754 f82530 _recalloc 71753->71754 71755 f820ae 71753->71755 71754->71755 71756 f81a70 71755->71756 71815 f9bdc0 71756->71815 71761 f81afd 71762 f81b01 7 API calls 71761->71762 71763 f81bab PathIsDirectoryW 71762->71763 71764 f81bbd memset PathCombineW CopyFileW 71762->71764 71763->71764 71765 f81bfc memset PathCombineW PathFileExistsW 71763->71765 71764->71765 71766 f81c41 PathIsDirectoryW 71765->71766 71767 f81c53 memset PathCombineW CopyFileW 71765->71767 71766->71767 71768 f81c92 memset PathCombineW PathFileExistsW 71766->71768 71767->71768 71769 f81ce9 memset PathCombineW CopyFileW 71768->71769 71770 f81cd7 PathIsDirectoryW 71768->71770 71771 f81d28 PathFileExistsW 71769->71771 71770->71769 71770->71771 71772 f81d3a PathIsDirectoryW 71771->71772 71773 f81dd7 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71771->71773 71772->71773 71774 f81d50 LoadLibraryW 71772->71774 71775 f81eab 71773->71775 71774->71773 71776 f81d64 memset GetTempPathW PathAppendW GetProcAddress 71774->71776 71777 f8e222 __ehhandler$___std_fs_get_file_id@8 7 API calls 71775->71777 71779 f81dc2 GetProcAddress 71776->71779 71778 f81ecb XL_PrepareGraphicParam XL_InitGraphicLib XL_SetFreeTypeEnabled WSAStartup 71777->71778 71778->71726 71778->71727 71780 f81dd0 FreeLibrary 71779->71780 71781 f81df6 GetProcAddress 71779->71781 71780->71773 71781->71780 71782 f81e04 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE memset GetModuleFileNameW 71781->71782 71834 f86c20 15 API calls __ehhandler$___std_fs_get_file_id@8 71782->71834 71784 f81e52 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE 71784->71775 71787 f82116 71786->71787 71788 f89c64 XLLRT_RegisterClass 71786->71788 71789 f89c83 71787->71789 71788->71787 71790 f89c91 XLLRT_RegisterGlobalObj 71789->71790 71791 f8211f 71789->71791 71790->71791 71792 f8ae83 71791->71792 71793 f8ae8b XLLRT_RegisterClass 71792->71793 71794 f82128 71792->71794 71793->71794 71795 f8aeaa 71794->71795 71796 f8aeb8 XLLRT_RegisterGlobalObj 71795->71796 71797 f82131 71795->71797 71796->71797 71798 f81860 XLLRT_GetEnv 71797->71798 71799 f81879 7 API calls 71798->71799 71800 f819e4 ??2@YAPAXI 71798->71800 71799->71800 71801 f819f2 71800->71801 71802 f81a25 71801->71802 71803 f8e39e _pre_cpp_init 10 API calls 71801->71803 71804 f81a40 XLLRT_GetRuntime XLLRT_ReleaseRunTime XLLRT_ReleaseEnv 71802->71804 71805 f81a31 ??3@YAXPAX 71802->71805 71803->71802 71804->71737 71805->71804 71806->71741 71807->71744 71808->71746 71810 f8e22a 71809->71810 71811 f8e22c IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 71809->71811 71810->71724 71813 f8ea5c GetCurrentProcess TerminateProcess 71811->71813 71814 f8ea54 _crt_debugger_hook 71811->71814 71813->71724 71814->71813 71816 f81a88 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W 71815->71816 71817 f86cf0 71816->71817 71818 f86d42 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W 71817->71818 71819 f86d77 ??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W 71817->71819 71820 f8e39e _pre_cpp_init 10 API calls 71818->71820 71821 f86e8a ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@ 71819->71821 71822 f86d92 memset PathFileExistsW 71819->71822 71826 f86d6d 71820->71826 71825 f8e222 __ehhandler$___std_fs_get_file_id@8 7 API calls 71821->71825 71823 f86dee PathFileExistsW 71822->71823 71824 f86e04 SHGetValueW 71822->71824 71823->71824 71827 f86df9 PathIsDirectoryW 71823->71827 71824->71821 71828 f86e28 PathFileExistsW 71824->71828 71829 f81ad2 memset 71825->71829 71826->71819 71827->71824 71830 f86e51 ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W ??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI 71827->71830 71828->71821 71831 f86e33 PathIsDirectoryW 71828->71831 71829->71761 71829->71762 71830->71821 71833 f86e7a ??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W 71830->71833 71831->71821 71832 f86e3e PathCombineW 71831->71832 71832->71830 71833->71821 71834->71784

                                        Executed Functions

                                        Function 00F81A70 Relevance: 93.0, APIs: 43, Strings: 10, Instructions: 300libraryfileloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(00FA2AA4,7E2FC452,00FAC508,011605A0,?,00000000,00F9E048,000000FF,00F820BA), ref: 00F81AB7
                                          • Part of subcall function 00F86CF0: ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90 ref: 00F86D5D
                                          • Part of subcall function 00F86CF0: ??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z.MSVCP90(00FAC5B8,00FA2AA4,7E2FC452,00FAC508,011605A0,?,00000000), ref: 00F86D81
                                          • Part of subcall function 00F86CF0: memset.MSVCR90 ref: 00F86DA4
                                          • Part of subcall function 00F86CF0: PathFileExistsW.SHLWAPI ref: 00F86DDC
                                          • Part of subcall function 00F86CF0: PathFileExistsW.SHLWAPI(?), ref: 00F86DF3
                                          • Part of subcall function 00F86CF0: PathIsDirectoryW.SHLWAPI(?), ref: 00F86DFE
                                          • Part of subcall function 00F86CF0: SHGetValueW.SHLWAPI(80000001,SOFTWARE\Thunder Network\Thunder,Path,?,?,80000002), ref: 00F86E22
                                          • Part of subcall function 00F86CF0: PathFileExistsW.SHLWAPI(?), ref: 00F86E2D
                                          • Part of subcall function 00F86CF0: PathIsDirectoryW.SHLWAPI(?), ref: 00F86E38
                                          • Part of subcall function 00F86CF0: PathCombineW.SHLWAPI(?,?,..\..\), ref: 00F86E4B
                                        • memset.MSVCR90 ref: 00F81AEA
                                        • PathCombineW.SHLWAPI(?,?,Program\), ref: 00F81B15
                                        • memset.MSVCR90 ref: 00F81B2F
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F81B46
                                        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00F81B54
                                        • memset.MSVCR90 ref: 00F81B72
                                        • PathCombineW.SHLWAPI(?,?,XLBugReport.exe), ref: 00F81B8F
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F81B9F
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F81BB3
                                        • memset.MSVCR90 ref: 00F81BCF
                                        • PathCombineW.SHLWAPI(?,?,XLBugReport.exe), ref: 00F81BE9
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F81BFA
                                        • memset.MSVCR90 ref: 00F81C14
                                        • PathCombineW.SHLWAPI(?,?,XLBugHandler.dll), ref: 00F81C31
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F81C3B
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F81C49
                                        • memset.MSVCR90 ref: 00F81C65
                                        • PathCombineW.SHLWAPI(?,?,XLBugHandler.dll), ref: 00F81C7F
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F81C90
                                        • memset.MSVCR90 ref: 00F81CAA
                                        • PathCombineW.SHLWAPI(?,?,minizip.dll), ref: 00F81CC7
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F81CD1
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F81CDF
                                        • memset.MSVCR90 ref: 00F81CFB
                                        • PathCombineW.SHLWAPI(?,?,minizip.dll), ref: 00F81D15
                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F81D26
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F81D30
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F81D42
                                        • LoadLibraryW.KERNEL32(?), ref: 00F81D58
                                        • memset.MSVCR90 ref: 00F81D7C
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00F81D91
                                        • PathAppendW.SHLWAPI(?,BrowserSupportDump\), ref: 00F81DA4
                                        • GetProcAddress.KERNEL32(00000000,_XL_SetBugReportRootDir@4), ref: 00F81DB6
                                        • GetProcAddress.KERNEL32(00000000,_XL_InitBugHandler@20), ref: 00F81DC8
                                        • FreeLibrary.KERNEL32(00000000), ref: 00F81DD1
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F81DE6
                                        • GetProcAddress.KERNEL32(00000000,_XL_SetAlwaysSendReport@4), ref: 00F81DFC
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F81E08
                                        • memset.MSVCR90 ref: 00F81E25
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000208), ref: 00F81E3C
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F81E8E
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F81EA3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785982664.0000000000F81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F80000, based on PE: true
                                        • Associated: 00000007.00000002.1785946057.0000000000F80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786079153.0000000000FAB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786123133.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_f80000_thelper.jbxd
                                        Similarity
                                        • API ID: Path$File$memset$CombineU?$char_traits@_V?$allocator@_W@std@@$Exists$DirectoryW@2@@std@@$??0?$basic_string@_??1?$basic_string@_AddressCopyProc$LibraryModuleName$??$?8_AppendFreeLoadRemoveSpecTempV?$basic_string@_ValueW@1@@std@@W@2@@0@
                                        • String ID: -bug$BrowserSupport$BrowserSupportDump\$Program\$XLBugHandler.dll$XLBugReport.exe$_XL_InitBugHandler@20$_XL_SetAlwaysSendReport@4$_XL_SetBugReportRootDir@4$minizip.dll
                                        • API String ID: 1687364463-214281796
                                        • Opcode ID: e573b904a391581d49c5035ef8aaaef8e7dd6953d5e6ac294a57816a573542cb
                                        • Instruction ID: cd0f48c3a03fe56b3305b69560c226d4e80478ecf69d1b2565bc829f594b1ad4
                                        • Opcode Fuzzy Hash: e573b904a391581d49c5035ef8aaaef8e7dd6953d5e6ac294a57816a573542cb
                                        • Instruction Fuzzy Hash: DDB11FB2508384ABD334EBA4DC45FEBB7E8AFC8700F04491DF599C2191EAB5D5099B63
                                        Function 00F81F20 Relevance: 72.0, APIs: 34, Strings: 7, Instructions: 236synchronizationwindowthreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 33 f81f20-f81f84 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z 34 f81f8d-f81f9b CreateMutexW 33->34 35 f81f86 33->35 36 f8204f-f820f1 EnterCriticalSection GetCurrentThreadId call f82510 call f81a70 XL_PrepareGraphicParam XL_InitGraphicLib XL_SetFreeTypeEnabled WSAStartup 34->36 37 f81fa1-f81fac GetLastError 34->37 35->34 51 f820fa-f821db XLFS_Init XLUE_InitLoader XLLRT_GetEnv call f89c5c call f89c83 call f8ae83 call f8aeaa call f81860 memset GetModuleFileNameW PathRemoveFileSpecW PathAddBackslashW ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z ??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ 36->51 52 f820f3-f820f4 exit 36->52 37->36 38 f81fb2-f81fc9 CloseHandle FindWindowW 37->38 40 f81fcb-f8200b ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z ??2@YAPAXI@Z 38->40 41 f82030-f8204a ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ 38->41 43 f8200d 40->43 44 f82011-f8202a SendMessageW ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ 40->44 45 f822af-f822d5 call f8e222 41->45 43->44 44->41 63 f821dd 51->63 64 f821e4-f821fd XLUE_AddXARSearchPath XLUE_LoadXAR 51->64 52->51 63->64 65 f82202-f82208 64->65 66 f82228-f8222a 65->66 67 f8220a-f8220d 65->67 68 f8222d-f8222f 66->68 69 f8220f-f82217 67->69 70 f82224-f82226 67->70 71 f82231 call f81ee0 68->71 72 f82236-f82267 call f814b0 call f816c0 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ 68->72 69->66 73 f82219-f82222 69->73 70->68 71->72 79 f82269-f8226f free 72->79 80 f82273-f82281 72->80 73->65 73->70 79->80 81 f8228d-f822ad ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ 80->81 82 f82283-f82289 free 80->82 81->45 82->81
                                        APIs
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(xl8.browserSupport.mutexId,7E2FC452), ref: 00F81F66
                                        • CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00F81F91
                                        • GetLastError.KERNEL32 ref: 00F81FA1
                                        • CloseHandle.KERNEL32(00000000), ref: 00F81FB3
                                        • FindWindowW.USER32(00000000,browserSupport.cmdlistener.wnd), ref: 00F81FBF
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(BringWndToTop), ref: 00F81FD4
                                        • ??2@YAPAXI@Z.MSVCR90 ref: 00F81FE4
                                        • SendMessageW.USER32(00000000,0000004A,00000000,00000000), ref: 00F82019
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F8202A
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F82042
                                        • EnterCriticalSection.KERNEL32(00FAC508), ref: 00F82089
                                        • GetCurrentThreadId.KERNEL32 ref: 00F8208F
                                          • Part of subcall function 00F82510: _recalloc.MSVCR90(?,00000002,00000004,00FAC508,00F820AE,?,?), ref: 00F82521
                                        • LeaveCriticalSection.KERNEL32(00FAC508,?,?), ref: 00F820AF
                                          • Part of subcall function 00F81A70: ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(00FA2AA4,7E2FC452,00FAC508,011605A0,?,00000000,00F9E048,000000FF,00F820BA), ref: 00F81AB7
                                          • Part of subcall function 00F81A70: memset.MSVCR90 ref: 00F81AEA
                                          • Part of subcall function 00F81A70: PathCombineW.SHLWAPI(?,?,Program\), ref: 00F81B15
                                          • Part of subcall function 00F81A70: memset.MSVCR90 ref: 00F81B2F
                                          • Part of subcall function 00F81A70: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F81B46
                                          • Part of subcall function 00F81A70: PathRemoveFileSpecW.SHLWAPI(?), ref: 00F81B54
                                          • Part of subcall function 00F81A70: memset.MSVCR90 ref: 00F81B72
                                          • Part of subcall function 00F81A70: PathCombineW.SHLWAPI(?,?,XLBugReport.exe), ref: 00F81B8F
                                          • Part of subcall function 00F81A70: PathFileExistsW.SHLWAPI(?), ref: 00F81B9F
                                          • Part of subcall function 00F81A70: PathIsDirectoryW.SHLWAPI(?), ref: 00F81BB3
                                          • Part of subcall function 00F81A70: memset.MSVCR90 ref: 00F81BCF
                                          • Part of subcall function 00F81A70: PathCombineW.SHLWAPI(?,?,XLBugReport.exe), ref: 00F81BE9
                                        • XL_PrepareGraphicParam.XLGRAPHIC(?), ref: 00F820BF
                                        • XL_InitGraphicLib.XLGRAPHIC(?), ref: 00F820CE
                                        • XL_SetFreeTypeEnabled.XLGRAPHIC(00000001), ref: 00F820D6
                                        • WSAStartup.WS2_32(00000202,?), ref: 00F820E9
                                        • exit.MSVCR90 ref: 00F820F4
                                        • XLFS_Init.XLFSIO ref: 00F820FA
                                        • XLUE_InitLoader.XLUE(00000000), ref: 00F82101
                                        • XLLRT_GetEnv.XLLUARUNTIME(00000000), ref: 00F82108
                                        • memset.MSVCR90 ref: 00F82151
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F82167
                                        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00F82175
                                        • PathAddBackslashW.SHLWAPI(?), ref: 00F82183
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(?), ref: 00F82195
                                        • ??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z.MSVCP90 ref: 00F821B1
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F821C6
                                        • XLUE_AddXARSearchPath.XLUE(?), ref: 00F821E5
                                        • XLUE_LoadXAR.XLUE(BrowserSupport), ref: 00F821F0
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F82255
                                        • free.MSVCR90(?), ref: 00F8226A
                                        • free.MSVCR90(?), ref: 00F82284
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F822A7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785982664.0000000000F81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F80000, based on PE: true
                                        • Associated: 00000007.00000002.1785946057.0000000000F80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786079153.0000000000FAB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786123133.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_f80000_thelper.jbxd
                                        Similarity
                                        • API ID: U?$char_traits@_V?$allocator@_W@std@@$PathW@2@@std@@$??1?$basic_string@_Filememset$??0?$basic_string@_$CombineInit$CriticalGraphicModuleNameRemoveSectionSpecfree$??$???2@BackslashCloseCreateCurrentDirectoryEnabledEnterErrorExistsFindFreeHandleLastLeaveLoadLoaderMessageMutexParamPrepareSearchSendStartupThreadTypeV10@V?$basic_string@_W@1@@std@@W@2@@0@Window_recallocexit
                                        • String ID: v$-repair$BringWndToTop$BrowserSupport$Xar\$browserSupport.cmdlistener.wnd$xl8.browserSupport.mutexId
                                        • API String ID: 3363966529-2146482043
                                        • Opcode ID: 36c22b5296f6c05fb2f7a76c26e2b10a70b17c85e8cca92edb65f344fcf5ddd7
                                        • Instruction ID: 00483c1fdf87bad5c3b7de6c0e83ab3a21ba3ac29b6099ed4186049926cae17f
                                        • Opcode Fuzzy Hash: 36c22b5296f6c05fb2f7a76c26e2b10a70b17c85e8cca92edb65f344fcf5ddd7
                                        • Instruction Fuzzy Hash: 30A19DB15083449FD720EF74DC88AAAB7E8FF99315F444A2EF58AC2262D7349508DB53
                                        Function 00F86CF0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 130COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90 ref: 00F86D5D
                                          • Part of subcall function 00F8E39E: __onexit.MSVCRT ref: 00F8E3A6
                                        • ??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z.MSVCP90(00FAC5B8,00FA2AA4,7E2FC452,00FAC508,011605A0,?,00000000), ref: 00F86D81
                                        • memset.MSVCR90 ref: 00F86DA4
                                        • PathFileExistsW.SHLWAPI ref: 00F86DDC
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F86DF3
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F86DFE
                                        • SHGetValueW.SHLWAPI(80000001,SOFTWARE\Thunder Network\Thunder,Path,?,?,80000002), ref: 00F86E22
                                        • PathFileExistsW.SHLWAPI(?), ref: 00F86E2D
                                        • PathIsDirectoryW.SHLWAPI(?), ref: 00F86E38
                                        • PathCombineW.SHLWAPI(?,?,..\..\), ref: 00F86E4B
                                        • ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z.MSVCP90(?), ref: 00F86E5B
                                        • ??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z.MSVCP90(-00000001), ref: 00F86E6E
                                        • ??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z.MSVCP90(00FA2D74), ref: 00F86E84
                                        • ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z.MSVCP90(00FAC5B8), ref: 00F86E91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785982664.0000000000F81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F80000, based on PE: true
                                        • Associated: 00000007.00000002.1785946057.0000000000F80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786079153.0000000000FAB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786123133.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_f80000_thelper.jbxd
                                        Similarity
                                        • API ID: U?$char_traits@_V?$allocator@_W@std@@$Path$W@2@@std@@$ExistsFileV01@$??4?$basic_string@_Directory$??$?8_??0?$basic_string@_A?$basic_string@_CombineV01@@V?$basic_string@_ValueW@1@@std@@W@2@@0@Y?$basic_string@___onexitmemset
                                        • String ID: ..\..\$Path$SOFTWARE\Thunder Network\Thunder$SOFTWARE\Thunder Network\ThunderOem\thunder_backwnd$instdir
                                        • API String ID: 2108441883-774939401
                                        • Opcode ID: e1b7da4d1c8a841b3f55fde8780128bfa4b08078966ac480f78d69beea761156
                                        • Instruction ID: 290b39b429bc3fc7f07f8aad6c8f09756a79b269000b11c19548969a739faaa4
                                        • Opcode Fuzzy Hash: e1b7da4d1c8a841b3f55fde8780128bfa4b08078966ac480f78d69beea761156
                                        • Instruction Fuzzy Hash: 0941B5B1604305AFC714EB58DC45FAB77E8EB89714F04452EF955C3190EB74E508EBA2
                                        Function 00F82320 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00F8232D
                                        • DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 00F8233B
                                        • InitCommonControlsEx.COMCTL32 ref: 00F82356
                                          • Part of subcall function 00F81600: GetCurrentThreadId.KERNEL32 ref: 00F8163B
                                          • Part of subcall function 00F81600: ??2@YAPAXI@Z.MSVCR90 ref: 00F81651
                                          • Part of subcall function 00F81F20: ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(xl8.browserSupport.mutexId,7E2FC452), ref: 00F81F66
                                          • Part of subcall function 00F81F20: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00F81F91
                                          • Part of subcall function 00F81F20: GetLastError.KERNEL32 ref: 00F81FA1
                                          • Part of subcall function 00F81F20: CloseHandle.KERNEL32(00000000), ref: 00F81FB3
                                          • Part of subcall function 00F81F20: FindWindowW.USER32(00000000,browserSupport.cmdlistener.wnd), ref: 00F81FBF
                                          • Part of subcall function 00F81F20: ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP90(BringWndToTop), ref: 00F81FD4
                                          • Part of subcall function 00F81F20: ??2@YAPAXI@Z.MSVCR90 ref: 00F81FE4
                                          • Part of subcall function 00F81F20: SendMessageW.USER32(00000000,0000004A,00000000,00000000), ref: 00F82019
                                          • Part of subcall function 00F81F20: ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F8202A
                                          • Part of subcall function 00F81F20: ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00F82042
                                          • Part of subcall function 00F81760: EnterCriticalSection.KERNEL32(00FAC508,?,?,00F82376), ref: 00F8176C
                                          • Part of subcall function 00F81760: DestroyWindow.USER32(?,?,?,00F82376), ref: 00F81786
                                          • Part of subcall function 00F81760: free.MSVCR90(?,?,?,00F82376), ref: 00F8179E
                                          • Part of subcall function 00F81760: ??3@YAXPAX@Z.MSVCR90 ref: 00F817BC
                                          • Part of subcall function 00F81760: LeaveCriticalSection.KERNEL32(00FAC508,?,?,00F82376), ref: 00F817CF
                                        • free.MSVCR90(00000000), ref: 00F8238D
                                        • free.MSVCR90(01166618), ref: 00F823A0
                                        • ??3@YAXPAX@Z.MSVCR90 ref: 00F823B4
                                        • CoUninitialize.OLE32 ref: 00F823C1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785982664.0000000000F81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F80000, based on PE: true
                                        • Associated: 00000007.00000002.1785946057.0000000000F80000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786041431.0000000000F9F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786079153.0000000000FAB000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000007.00000002.1786123133.0000000000FAD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_f80000_thelper.jbxd
                                        Similarity
                                        • API ID: U?$char_traits@_V?$allocator@_W@2@@std@@W@std@@$Windowfree$??0?$basic_string@_??1?$basic_string@_??2@??3@CriticalSection$CloseCommonControlsCreateCurrentDestroyEnterErrorFindHandleInitInitializeLastLeaveMessageMutexProcSendThreadUninitialize
                                        • String ID:
                                        • API String ID: 3978411270-0
                                        • Opcode ID: 3aec9045f6e96dfac0c7524d4461652483bbe91b3be8449d6a5599a786d80714
                                        • Instruction ID: 89f731ce45a494ca24538e9ed6cde5fe9106f0ba9919f95089cf8d5d89b6d820
                                        • Opcode Fuzzy Hash: 3aec9045f6e96dfac0c7524d4461652483bbe91b3be8449d6a5599a786d80714
                                        • Instruction Fuzzy Hash: 5F1182B1A003056BD720BF65DC0AB8B7BA8BF44711F144929F999D7290DB74F418DBA2
                                        Function 00E7EC90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCR90 ref: 00E7ECB6
                                        • PathAppendW.SHLWAPI(?,..\FontSetting.ini), ref: 00E7ECD7
                                        • PathFileExistsW.KERNELBASE ref: 00E7ECE1
                                          • Part of subcall function 00E7F450: _DebugHeapAllocator.LIBCPMTD ref: 00E7F4AA
                                          • Part of subcall function 00E7F450: _itow.MSVCR90 ref: 00E7F4DA
                                          • Part of subcall function 00E7F450: _itow.MSVCR90 ref: 00E7F528
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Path_itow$AllocatorAppendDebugExistsFileHeapmemset
                                        • String ID: ..\FontSetting.ini
                                        • API String ID: 1855005611-1583566485
                                        • Opcode ID: 4ccfb890b9e4f130b2a73f1f01ac996fb977e639f4a5d8f56a3e624e676cc928
                                        • Instruction ID: 00fdbb5d23520fbafb78bd3ea04f27fb6a1124761981082cb7cb499f7abd9504
                                        • Opcode Fuzzy Hash: 4ccfb890b9e4f130b2a73f1f01ac996fb977e639f4a5d8f56a3e624e676cc928
                                        • Instruction Fuzzy Hash: E80121B46183016BC624FBB4D85AB6F73D4DF88704F40E92DF1AAA7192EA74D1049792
                                        Function 00ECF350 Relevance: 4.5, APIs: 3, Instructions: 48memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 135 ecf350-ecf369 136 ecf3bb-ecf3c4 GetProcessHeap 135->136 137 ecf36b-ecf378 135->137 138 ecf3c7-ecf3ce 136->138 139 ecf37a 137->139 140 ecf381-ecf39b HeapCreate 137->140 141 ecf3d4 138->141 142 ecf3d0-ecf3d2 138->142 139->140 143 ecf39d-ecf3b3 HeapSetInformation 140->143 144 ecf3b9 140->144 145 ecf3d6-ecf3d9 141->145 142->145 143->144 144->138
                                        APIs
                                        • HeapCreate.KERNELBASE(00000000,00000000,00000000), ref: 00ECF389
                                        • HeapSetInformation.KERNEL32(00000000,00000000,00000002,00000004), ref: 00ECF3B3
                                        • GetProcessHeap.KERNEL32 ref: 00ECF3BB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Heap$CreateInformationProcess
                                        • String ID:
                                        • API String ID: 3982942217-0
                                        • Opcode ID: 8a8593eb4376b4efac36e5994f8e4a1870a03be01600206f1e5b312193874d38
                                        • Instruction ID: 38a4435e31dbd9983741bc0f02363988d38ea679897d85bc7ff3825490090592
                                        • Opcode Fuzzy Hash: 8a8593eb4376b4efac36e5994f8e4a1870a03be01600206f1e5b312193874d38
                                        • Instruction Fuzzy Hash: 17119A74E05288FBDB00CFA5C554BADBBB2EF45304F14C0AEE8106B381C3769A06DB90
                                        Function 00FED9D0 Relevance: 4.5, APIs: 3, Instructions: 48memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 146 fed9d0-fed9e9 147 feda3b-feda44 GetProcessHeap 146->147 148 fed9eb-fed9f8 146->148 149 feda47-feda4e 147->149 150 fed9fa 148->150 151 feda01-feda1b HeapCreate 148->151 152 feda54 149->152 153 feda50-feda52 149->153 150->151 154 feda1d-feda33 HeapSetInformation 151->154 155 feda39 151->155 156 feda56-feda59 152->156 153->156 154->155 155->149
                                        APIs
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00FEDA09
                                        • HeapSetInformation.KERNEL32(00000000,00000000,00000002,00000004), ref: 00FEDA33
                                        • GetProcessHeap.KERNEL32 ref: 00FEDA3B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: Heap$CreateInformationProcess
                                        • String ID:
                                        • API String ID: 3982942217-0
                                        • Opcode ID: f967aabb5a345b4216f3e96cef864063d2100320fad89abd41e01127bd2aa83b
                                        • Instruction ID: 79e32c1c0c5a93ce9e2f32f28878eaa1707880f1136d480a02923ec469edaa5e
                                        • Opcode Fuzzy Hash: f967aabb5a345b4216f3e96cef864063d2100320fad89abd41e01127bd2aa83b
                                        • Instruction Fuzzy Hash: 03117C78E08288EFDB04CFA1C454BADBBB6BF46704F14C099E8155B382C77A9A05EB50
                                        Function 00E7C2B0 Relevance: 4.5, APIs: 3, Instructions: 40COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 157 e7c2b0-e7c2fe memset SystemParametersInfoW call e7b9a0 159 e7c303-e7c314 call e7bc60 157->159 162 e7c316 159->162 163 e7c31b-e7c33e wcsncpy call ed068e 159->163 162->163
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystemmemsetwcsncpy
                                        • String ID:
                                        • API String ID: 1250501251-0
                                        • Opcode ID: 889eb22943f55a66dd75703dc04cf60de33558c8276663bb1a8f9a0be4b33ebf
                                        • Instruction ID: 912e22100843ad03702b1369ac449e85942d42fc2a02c30957029a8022314df0
                                        • Opcode Fuzzy Hash: 889eb22943f55a66dd75703dc04cf60de33558c8276663bb1a8f9a0be4b33ebf
                                        • Instruction Fuzzy Hash: E101A2B05503016FE324AB60DC4ABBF33D8EBC4704F40481DB1156B291DA7465088793
                                        Function 00FC3C70 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 166 fc3c70-fc3c7b 167 fc3c7d-fc3c86 166->167 168 fc3cc3-fc3cca 166->168 171 fc3c8c 167->171 172 fc3c88-fc3c8a 167->172 169 fc3ccc ?_Xlen@_String_base@std@@SAXXZ 168->169 170 fc3cd2-fc3cd7 168->170 169->170 173 fc3cf9-fc3cfb 170->173 174 fc3cd9-fc3ce0 call fc3420 170->174 175 fc3c8e-fc3c90 171->175 172->175 178 fc3cfd-fc3d03 173->178 179 fc3ce7 173->179 180 fc3ce5 174->180 175->168 177 fc3c92-fc3c95 175->177 183 fc3c9b 177->183 184 fc3c97-fc3c99 177->184 185 fc3d05-fc3d10 178->185 186 fc3d13-fc3d1e 178->186 181 fc3ce9-fc3cf3 179->181 182 fc3d40-fc3d45 179->182 180->179 187 fc3cf5-fc3cf7 181->187 188 fc3d21 181->188 189 fc3c9d-fc3ca4 183->189 184->189 190 fc3d23-fc3d37 memcpy_s 187->190 188->190 189->168 191 fc3ca6-fc3ca9 189->191 192 fc3d39 190->192 193 fc3d3b-fc3d3f 190->193 194 fc3cad-fc3cc0 call fc3580 191->194 195 fc3cab 191->195 192->193 193->182 195->194
                                        APIs
                                        • ?_Xlen@_String_base@std@@SAXXZ.MSVCP90(?,00000000,?,00FC6CA0,?,?,E3DC3B0A,?,00000000,?,?,00000000,?,00FEF09B,000000FF,00FC6D63), ref: 00FC3CCC
                                        • memcpy_s.MSVCR90 ref: 00FC3D27
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: String_base@std@@Xlen@_memcpy_s
                                        • String ID:
                                        • API String ID: 4060184576-0
                                        • Opcode ID: 7be9642de8cc62f1b9aafd157ce6a81c6a81876750dbfa59d66df050edfc03e7
                                        • Instruction ID: 80fd4c7b651744a10a63e7565de994bfe658175f3ad39341e99cfb8b16b3c474
                                        • Opcode Fuzzy Hash: 7be9642de8cc62f1b9aafd157ce6a81c6a81876750dbfa59d66df050edfc03e7
                                        • Instruction Fuzzy Hash: ED21F532300A068BD724DE4CE685F6FF3EAEBD1790B10881EE0539B691D731AE4597A1
                                        Function 00FC3420 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 198 fc3420-fc345b 199 fc345d-fc345f 198->199 200 fc3461-fc3473 198->200 201 fc3483-fc348e call fec960 199->201 200->201 202 fc3475-fc347e 200->202 205 fc3493-fc34c6 201->205 202->201 203 fc3480 202->203 203->201 207 fc34c8-fc34cc 205->207 208 fc34e9-fc34ed 205->208 209 fc34ce-fc34d1 207->209 210 fc34d3 207->210 211 fc34ef-fc34f8 call fec9e0 208->211 212 fc34fb-fc350f 208->212 213 fc34d6-fc34e6 memcpy_s 209->213 210->213 211->212 215 fc3511 212->215 216 fc3513-fc3528 212->216 213->208 215->216
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: memcpy_s
                                        • String ID:
                                        • API String ID: 1502251526-0
                                        • Opcode ID: 84ad4aa1ef3dff56e7f1b02e3d146696960546dfbc829f29338f7cf3b5d987bf
                                        • Instruction ID: 82af5245811b0b8c3648f28f7985bf29b5e4621702a6417581ba8c84ed4de6be
                                        • Opcode Fuzzy Hash: 84ad4aa1ef3dff56e7f1b02e3d146696960546dfbc829f29338f7cf3b5d987bf
                                        • Instruction Fuzzy Hash: 6831B4B1904606EFD718CF19D981B59B7F9FB08350F00862EE826C7781D771AA44DBD1
                                        Function 00ECF3E0 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 218 ecf3e0-ecf3ef 219 ecf3fe-ecf415 218->219 220 ecf3f1-ecf3f8 HeapDestroy 218->220 220->219
                                        APIs
                                        • HeapDestroy.KERNELBASE(?), ref: 00ECF3F8
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: DestroyHeap
                                        • String ID:
                                        • API String ID: 2435110975-0
                                        • Opcode ID: 8e9cd66c6c75f9181fbb9490434fd5eb266c3108601c84c83f022c579400d3f2
                                        • Instruction ID: 8a6bc156887ff9d36fe33669922764cd501a854e14371ea751acebd3ddeabfc9
                                        • Opcode Fuzzy Hash: 8e9cd66c6c75f9181fbb9490434fd5eb266c3108601c84c83f022c579400d3f2
                                        • Instruction Fuzzy Hash: BBE0ED74905148EFCB04DFA9E55495DBBB4EB09301B2481D9E80997311C6319E019B91
                                        Function 00FEDA60 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 222 feda60-feda6f 223 feda7e-feda95 222->223 224 feda71-feda78 HeapDestroy 222->224 224->223
                                        APIs
                                        • HeapDestroy.KERNELBASE(?), ref: 00FEDA78
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: DestroyHeap
                                        • String ID:
                                        • API String ID: 2435110975-0
                                        • Opcode ID: aa417da19c64d775f2a6a764b0c35cf64504f2647bf7e94c459429d79838b5fa
                                        • Instruction ID: 23e87a68e6106bb254ce72fe9781c8f480f7ad41c67af75000b0c57e2dc148f5
                                        • Opcode Fuzzy Hash: aa417da19c64d775f2a6a764b0c35cf64504f2647bf7e94c459429d79838b5fa
                                        • Instruction Fuzzy Hash: FAE01A78906148EFCB04CF99DA5496DFBF8AF09301F2482D9E80997311C631AF41EBA0
                                        Function 00FEDAA0 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 226 fedaa0-fedab6 227 fedabf-fedad9 call fedbb0 RtlAllocateHeap 226->227 228 fedab8 226->228 228->227
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00FEDAD0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 6dae75e4ed3e8bcc71cd298b6ccf15faadcda2624a9f5d5dc836363da67fefa4
                                        • Instruction ID: 48dffaa6fc9b42e63b207957c03f140ab9d4e8bbeddff6aa3e237b24d718f988
                                        • Opcode Fuzzy Hash: 6dae75e4ed3e8bcc71cd298b6ccf15faadcda2624a9f5d5dc836363da67fefa4
                                        • Instruction Fuzzy Hash: 68E01A75905148ABCB04EFA5D914AAEBBB8AF45300F108199E844A7240DB359A04EBA0
                                        Function 00ECF420 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 231 ecf420-ecf436 232 ecf43f-ecf459 call ecf530 HeapAlloc 231->232 233 ecf438 231->233 233->232
                                        APIs
                                        • HeapAlloc.KERNEL32(00000000,00000000,00000000), ref: 00ECF450
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: AllocHeap
                                        • String ID:
                                        • API String ID: 4292702814-0
                                        • Opcode ID: ba90e2625d6e48a30409a1b713c2a42f018dac79cd94ca0b606e0dd3f8c72cc0
                                        • Instruction ID: f426b0fede76a325a054373e8641a707dedbd4ec0df65de41cdc92d49d64dd4a
                                        • Opcode Fuzzy Hash: ba90e2625d6e48a30409a1b713c2a42f018dac79cd94ca0b606e0dd3f8c72cc0
                                        • Instruction Fuzzy Hash: D0E04F70904208ABCB04EFA5E904B9EBFB9AF44300F50819DE944A7340DA319B0ADBA0

                                        Non-executed Functions

                                        Function 00E78AF0 Relevance: 10.7, APIs: 7, Instructions: 217windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90(00000000,?,?,00000000), ref: 00E78B0E
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?,?,00000000,?,?,00000000), ref: 00E78B40
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipInfo
                                        • String ID:
                                        • API String ID: 4145324106-0
                                        • Opcode ID: f4a4373b3807e40d059ff1a41e18649debdfb38645ab18bb5f5ee8a09aa56d8a
                                        • Instruction ID: 6fec285ca0f9bd0eb33fb2eaf678ae2f1c6b6aca2c4c1bab0ea33d8999623afa
                                        • Opcode Fuzzy Hash: f4a4373b3807e40d059ff1a41e18649debdfb38645ab18bb5f5ee8a09aa56d8a
                                        • Instruction Fuzzy Hash: EC8139B5A083419FC724CF69CA8495BFBE9BFD8714F14991DF988D7315DA30E8048B62
                                        Function 00ED068E Relevance: 10.6, APIs: 7, Instructions: 58COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 00ED0F17
                                        • _crt_debugger_hook.MSVCR90(00000001), ref: 00ED0F24
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00ED0F2C
                                        • UnhandledExceptionFilter.KERNEL32(00EE9F60), ref: 00ED0F37
                                        • _crt_debugger_hook.MSVCR90(00000001), ref: 00ED0F48
                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00ED0F53
                                        • TerminateProcess.KERNEL32(00000000), ref: 00ED0F5A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                        • String ID:
                                        • API String ID: 3369434319-0
                                        • Opcode ID: 8c32b684ba012cb7c4971f4ab928ecd053efd440482b0da796a669f072e16c11
                                        • Instruction ID: 43b04633945b1b6f71290e1ad1a1cc79661a58e125cfd5a63d8ceb65fa834a04
                                        • Opcode Fuzzy Hash: 8c32b684ba012cb7c4971f4ab928ecd053efd440482b0da796a669f072e16c11
                                        • Instruction Fuzzy Hash: 14212FBC811288DFC310DF29F9496583BE0FB6A3A0F00112AEE08A3360E77049C9EF51
                                        Function 00E65850 Relevance: 7.7, APIs: 5, Instructions: 208windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90(?,?,?,?), ref: 00E6586E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapInfo
                                        • String ID:
                                        • API String ID: 1006323486-0
                                        • Opcode ID: dfa71c563fdd3f86abd36ff0c39452d42d3ac65bfe0902dbcc75e132f7b123fb
                                        • Instruction ID: f5b5e35a8f5e39a7ec1d66526509653c89d5cf5f55cd20a4d0438053c89b47b6
                                        • Opcode Fuzzy Hash: dfa71c563fdd3f86abd36ff0c39452d42d3ac65bfe0902dbcc75e132f7b123fb
                                        • Instruction Fuzzy Hash: 0C8146B6A083519FC714CF68D980A5BFBE5BFC8754F149A1DF988A7305D630E904CB92
                                        Function 00E78D90 Relevance: 7.7, APIs: 5, Instructions: 196COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bdec504425249df7d768f905e9567903412de52609390fe5c2a96d9cc199017
                                        • Instruction ID: 89847ca70b941f44c9eee74ec84d06175dc28256ed6ce36ff4ed4e2ac50333d2
                                        • Opcode Fuzzy Hash: 1bdec504425249df7d768f905e9567903412de52609390fe5c2a96d9cc199017
                                        • Instruction Fuzzy Hash: A661B071648701AFD314DB28D980E6BB7E9AFD8744F109A1CF99993310EB31E945CBA2
                                        Function 00E50320 Relevance: 7.7, APIs: 5, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E50355
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BindBitmapClip
                                        • String ID:
                                        • API String ID: 1740425945-0
                                        • Opcode ID: 8c2b9b6f03b03113ad301b9e3c89bb8990896b0c1c6f59870a87990803d84128
                                        • Instruction ID: 5362ee903ce0412f61b8280e8b431b5d3e97dd55afb2b04d53d9a8b1133192aa
                                        • Opcode Fuzzy Hash: 8c2b9b6f03b03113ad301b9e3c89bb8990896b0c1c6f59870a87990803d84128
                                        • Instruction Fuzzy Hash: 985149B2608305AFD304DF68DD81D3BB7E9EBC8754F009A1DFA9593241E670ED058B62
                                        Function 00E4FB70 Relevance: 7.6, APIs: 5, Instructions: 128windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E4FB94
                                        • OffsetRect.USER32(?,?,?), ref: 00E4FBD3
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E4FCAD
                                          • Part of subcall function 00E4F640: OffsetRect.USER32(?,?,00000000), ref: 00E4F672
                                        • OffsetRect.USER32(?,?,?), ref: 00E4FC18
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E4FC7E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapOffsetRect$Release$BindClip
                                        • String ID:
                                        • API String ID: 56185755-0
                                        • Opcode ID: c138b3859e28863213b7dd53d33d5120f26a3d7cad942a0e14fe432f82d3858c
                                        • Instruction ID: cd625a7c25df0f5a1cc6d8bb507edabf02eb86b270eb485877d6a838a061ee33
                                        • Opcode Fuzzy Hash: c138b3859e28863213b7dd53d33d5120f26a3d7cad942a0e14fe432f82d3858c
                                        • Instruction Fuzzy Hash: 774136B5608201AFC304DB98D881D6BF7E8EFC9754F008A1DFA8993351E775E905CBA2
                                        Function 00E7C130 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Versionmemset
                                        • String ID: Microsoft YaHei$Microsoft YaHei UI
                                        • API String ID: 3136939366-2872549853
                                        • Opcode ID: af240b3f3b756ae1c6ecc38d7fd274cfe154faaa2fdce109c628de638b036d74
                                        • Instruction ID: f19275a2fdc9be8b5d9742f19f35beacdf05a8ac3e45bee65342aea0c8ea0c54
                                        • Opcode Fuzzy Hash: af240b3f3b756ae1c6ecc38d7fd274cfe154faaa2fdce109c628de638b036d74
                                        • Instruction Fuzzy Hash: EBF096B1004302AFC314DF54D846ACBB7E8EBD4744F40892EF199A6251D370D64DCB93
                                        Function 00E56A40 Relevance: 6.4, APIs: 4, Instructions: 436windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90 ref: 00E56A59
                                        • XL_GetLogPen.MSVCR90(?,?), ref: 00E56A93
                                        • XL_GetBitmapBuffer.MSVCR90(?,?,?), ref: 00E56B3B
                                        • XL_GetBitmapBuffer.MSVCR90(?,?,?), ref: 00E56CB0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$Buffer$Info
                                        • String ID:
                                        • API String ID: 2298774921-0
                                        • Opcode ID: 77385198f69d207c2325dc620f0e61cd3cfaccd21374a56c6ee2e24ec6390062
                                        • Instruction ID: e25dd3a6752832f740c6c1533bf485d77b872d90da408c7166b033325d263436
                                        • Opcode Fuzzy Hash: 77385198f69d207c2325dc620f0e61cd3cfaccd21374a56c6ee2e24ec6390062
                                        • Instruction Fuzzy Hash: E9028F71A0C7418BE3649F2AD59026ABBE1FBC4741F604D2DF9E5D3271EA348848DF92
                                        Function 00E56470 Relevance: 6.4, APIs: 4, Instructions: 426windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90 ref: 00E56489
                                        • XL_GetLogPen.MSVCR90(?,?), ref: 00E564C3
                                        • XL_GetBitmapBuffer.MSVCR90(?,?,?), ref: 00E56580
                                        • XL_GetBitmapBuffer.MSVCR90(?,?,?), ref: 00E566EB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$Buffer$Info
                                        • String ID:
                                        • API String ID: 2298774921-0
                                        • Opcode ID: c042ba07220fc7550f530ee59ea500c3c068ca9c93dcd733ade7a2672e8ac355
                                        • Instruction ID: 8eda2cc85b8750008e779506a8015c70345f8657351b9ddfa951cf86daefdea9
                                        • Opcode Fuzzy Hash: c042ba07220fc7550f530ee59ea500c3c068ca9c93dcd733ade7a2672e8ac355
                                        • Instruction Fuzzy Hash: 9A027071A0C7418BE364DF26C55026ABBE0FBC8741F608E2DF9D5D2275EA348858DF92
                                        Function 00E4F8B0 Relevance: 6.1, APIs: 4, Instructions: 136windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E4F8D3
                                        • OffsetRect.USER32(?,?,?), ref: 00E4F92A
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E4F9A3
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipOffsetRectRelease
                                        • String ID:
                                        • API String ID: 643899227-0
                                        • Opcode ID: bea822af3f339cffe914cd3c4951774d9b36f86e39c87ae082a8a33ae9f397fc
                                        • Instruction ID: f984cd707f6fc869085599c0568ab7d07de51c9c1920064cb7419ae969f086f3
                                        • Opcode Fuzzy Hash: bea822af3f339cffe914cd3c4951774d9b36f86e39c87ae082a8a33ae9f397fc
                                        • Instruction Fuzzy Hash: 50415A76618200AFD204DBA8ED81D6BB7E9EFD9750F004A1DFA85A3210D670EC05CBA2
                                        Function 00E4FA10 Relevance: 6.1, APIs: 4, Instructions: 128windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E4FA33
                                        • OffsetRect.USER32(?,?,?), ref: 00E4FAB7
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E4FB1E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipOffsetRectRelease
                                        • String ID:
                                        • API String ID: 643899227-0
                                        • Opcode ID: 7ce5579585afdb463b72e23e67fbee42a7f2dede60fbda45a5661793715f7364
                                        • Instruction ID: fc5b4442d40b03c939fec6cd46168da2d523087b33af7f275a8f0285978c4d8e
                                        • Opcode Fuzzy Hash: 7ce5579585afdb463b72e23e67fbee42a7f2dede60fbda45a5661793715f7364
                                        • Instruction Fuzzy Hash: 19418E72608300AFC304EB64EC81D6BB7E8FFD5314F04592DFA4597211EA75E905CBA2
                                        Function 00E661C0 Relevance: 4.5, APIs: 3, Instructions: 21windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E661CB
                                        • XL_CloneBitmap.MSVCR90(00000000), ref: 00E661DA
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E661E2
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipCloneRelease
                                        • String ID:
                                        • API String ID: 4113513451-0
                                        • Opcode ID: 75aa3c4776f7021bcbfea384dd8f25f194866336b6060afae45f49d256920bd7
                                        • Instruction ID: 676b2c5d48350bb6d700d535f95fdb279db1585b0770f487758068dcf5eb20ad
                                        • Opcode Fuzzy Hash: 75aa3c4776f7021bcbfea384dd8f25f194866336b6060afae45f49d256920bd7
                                        • Instruction Fuzzy Hash: 6ED05226B0A230338632A229BC00C9F26CE8FC62A07022429F884AB205CA20CC4682E0
                                        Function 00E50060 Relevance: 3.1, APIs: 2, Instructions: 126windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E500BC
                                          • Part of subcall function 00E4F530: OffsetRect.USER32(?,?,?), ref: 00E4F53F
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E501A0
                                          • Part of subcall function 00E4F640: OffsetRect.USER32(?,?,00000000), ref: 00E4F672
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapOffsetRect$BindClipRelease
                                        • String ID:
                                        • API String ID: 1744652866-0
                                        • Opcode ID: 402daf36f6a3317bc806c2e1c3153f908f16a996d6ccecf3e2a32d9cb3fc0a99
                                        • Instruction ID: af886d0213c7b3597f985b85d676b4d97179d6a5cdb66a87dc2d31a59883a1a9
                                        • Opcode Fuzzy Hash: 402daf36f6a3317bc806c2e1c3153f908f16a996d6ccecf3e2a32d9cb3fc0a99
                                        • Instruction Fuzzy Hash: 634117B66083059FC314DF58D88096BB7E8EBC8704F049A2DF99997340E770E909CBA2
                                        Function 00E501C0 Relevance: 3.1, APIs: 2, Instructions: 126windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?), ref: 00E5021C
                                          • Part of subcall function 00E4F530: OffsetRect.USER32(?,?,?), ref: 00E4F53F
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E50300
                                          • Part of subcall function 00E4F640: OffsetRect.USER32(?,?,00000000), ref: 00E4F672
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapOffsetRect$BindClipRelease
                                        • String ID:
                                        • API String ID: 1744652866-0
                                        • Opcode ID: dc940fec47099a3351a195f0ecbf8aeb0a00f46d9b282c4388ad2da4a0933bca
                                        • Instruction ID: 623a98642e358f7653ccab8e555351b1ba0c9f93ea74f89db5d6df172b02da2c
                                        • Opcode Fuzzy Hash: dc940fec47099a3351a195f0ecbf8aeb0a00f46d9b282c4388ad2da4a0933bca
                                        • Instruction Fuzzy Hash: F94106B66083059FC714DF58D88096BB7E8EBC8714F049A2DF99597211E770E909CBA2
                                        Function 00E662B0 Relevance: 3.0, APIs: 2, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ClipSubBindBitmap.MSVCR90(?,?,?,?,?,?,?,?,?,?,?,00E4EC85,?,?,?,?), ref: 00E662EF
                                        • XL_ReleaseBitmap.MSVCR90(00000000), ref: 00E6631A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipRelease
                                        • String ID:
                                        • API String ID: 1818060704-0
                                        • Opcode ID: 70989ceba9ff90ba7ef9a9b2b3ae4549e3bf5ca0fc554327bac36dde81eafe45
                                        • Instruction ID: ecfaa38bd5a6cc4fd4d5466298acdf129bcb5995e658a334e7ca3d558c378444
                                        • Opcode Fuzzy Hash: 70989ceba9ff90ba7ef9a9b2b3ae4549e3bf5ca0fc554327bac36dde81eafe45
                                        • Instruction Fuzzy Hash: 5701D4756197419FE314DE19E840A6B7BE8AFD4348F88595CF885E3341D231DE0987E2
                                        Function 00E65CD0 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_ReleaseBitmap.MSVCR90(?,?,00E657B7,00000000,?), ref: 00E65CDD
                                        • XL_ClipSubBindBitmap.MSVCR90(00E657B7,00000004,?,00E657B7,00000000,?), ref: 00E65CF6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$BindClipRelease
                                        • String ID:
                                        • API String ID: 1818060704-0
                                        • Opcode ID: 44cab5d4934c3f6c8bc56b6c661d22e732d9582e48bf6f731e4438de23726368
                                        • Instruction ID: 8f7518488460e721a13a4d86e34a36e9fd8d73de3b73f105fc5aad23b0496616
                                        • Opcode Fuzzy Hash: 44cab5d4934c3f6c8bc56b6c661d22e732d9582e48bf6f731e4438de23726368
                                        • Instruction Fuzzy Hash: BAE01A717047015BE724DF3AE884B8763ECAF50350F088819B441D3695E671E88486D0
                                        Function 00E66130 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_BindExpRect.MSVCR90(?,?,?,?,00E656E6,?,?), ref: 00E66142
                                        • XL_BindExpRect.MSVCR90(?,?,?,?,00E656E6,?,?), ref: 00E66150
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BindRect
                                        • String ID:
                                        • API String ID: 2019094475-0
                                        • Opcode ID: 4b8fd226f3addc3fdf90616bf6a4184bb0316d0dd5ee8a8a8c43bbf9cadb2198
                                        • Instruction ID: 5bfebff03a962780c934d422bf8f78cfdc26946d95d18f6795868ae7c631d2da
                                        • Opcode Fuzzy Hash: 4b8fd226f3addc3fdf90616bf6a4184bb0316d0dd5ee8a8a8c43bbf9cadb2198
                                        • Instruction Fuzzy Hash: 56D0177121021167CA20DF2AA804F57A3EC9FC2B50B05181EB884E3201C660E8828660
                                        Function 00E65D10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_BindRectExpRect.MSVCR90(?,?,00E6566D,00000000,00000010,00000000,00000000,00000000,00000000,00000000,?,00000000,?K,00000000,$5,?), ref: 00E65D1D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Rect$Bind
                                        • String ID:
                                        • API String ID: 4222664859-0
                                        • Opcode ID: 6147755cd78e518258e8b2ca34b8b3c3d0b968d40479dc93a9ec394fccc8ecea
                                        • Instruction ID: 76d59aa0e5501ca326d315694e5b2e5471649e90e68ff76a7d3c59314fbe0aed
                                        • Opcode Fuzzy Hash: 6147755cd78e518258e8b2ca34b8b3c3d0b968d40479dc93a9ec394fccc8ecea
                                        • Instruction Fuzzy Hash: D5C09B752552067BC604DE34C580C3777E59BC4700F209A4C7445C7285CA31EC029651
                                        Function 00EC6640 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: V
                                        • API String ID: 0-4045069856
                                        • Opcode ID: 3e8acc0491f1bd458dbe986156547753bb56667531292b4c8114fba2563db1c8
                                        • Instruction ID: 0be3e45cfc99a3d24a49909e1cc02a83dca486df300fe4f4b2a1602233b4459e
                                        • Opcode Fuzzy Hash: 3e8acc0491f1bd458dbe986156547753bb56667531292b4c8114fba2563db1c8
                                        • Instruction Fuzzy Hash: B8D0A77055410CAB4704DF68D901D7D73E8D708310B004259B849C7280DA319E049790
                                        Function 00E4F780 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41eb3fd90b5308b96c56c905c3d34159dce1ebdfe3e9f6c08fdaf027db7f4308
                                        • Instruction ID: a135b9d59f2f5d3c5aeba87593047b5a461a7b840bef79cc14cc9ab7ff7def40
                                        • Opcode Fuzzy Hash: 41eb3fd90b5308b96c56c905c3d34159dce1ebdfe3e9f6c08fdaf027db7f4308
                                        • Instruction Fuzzy Hash: 4CF021327046205BC620DA54E804F6BA3D58BC4F14F01592EF846A3281C624AD8182E1
                                        Function 00E4F720 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef2c1d442d84a7a808d06f4ab331a4dfc0a37c68a27340e1d96532c91d6b5d9e
                                        • Instruction ID: 45ffa5ff3b178082f39203d1f34f41c2662d152a46165a7b01346f2869e198fe
                                        • Opcode Fuzzy Hash: ef2c1d442d84a7a808d06f4ab331a4dfc0a37c68a27340e1d96532c91d6b5d9e
                                        • Instruction Fuzzy Hash: 1CF0E2767147006BE720EA75E809F27B3E5AFC4F10F05A92EE84AA3241E634EC418361
                                        Function 00EC6890 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3389852d1fce04afb35b551b3a5aef72c403d44c229d5823b8480bc7a1563a4b
                                        • Instruction ID: 438ec9a94439f1b1c5a270e3a4a77faca5947b43d26ef67f13af5c122c0fcdb3
                                        • Opcode Fuzzy Hash: 3389852d1fce04afb35b551b3a5aef72c403d44c229d5823b8480bc7a1563a4b
                                        • Instruction Fuzzy Hash: 05E0C27151410DEBCB08DEA8DE00EBEB3E49B48300F00925CB806D7280DA319E10D790
                                        Function 00EC6610 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 854f2b8601897dd40b6e6c6cd5658ef0193a4cbaa0a446e6b97a2db865c207b8
                                        • Instruction ID: 9d03705ec4cc07d2ae057eb1b9223f6ad4a60090c4e9e376110565fe4d5ea661
                                        • Opcode Fuzzy Hash: 854f2b8601897dd40b6e6c6cd5658ef0193a4cbaa0a446e6b97a2db865c207b8
                                        • Instruction Fuzzy Hash: D7D05E7165410DAB8B04CFA9DD41D7EB3E8EB48310B00825DB809C7280DA31AE109BA0
                                        Function 00E4F2B0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e693d08852d6a50c49319eb2e8c6b7a4c74d1bb6424840a3f2781e76101f8866
                                        • Instruction ID: 68f8da6a624f3b8822e71120b453185dd4e21e11fc423cf664fb6641510715bc
                                        • Opcode Fuzzy Hash: e693d08852d6a50c49319eb2e8c6b7a4c74d1bb6424840a3f2781e76101f8866
                                        • Instruction Fuzzy Hash: 70D09EF5618301AFD204DE09D885E2BB3E9ABD4610F41CD0CB59982251D375D918DB72
                                        Function 00E4DF00 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 913416019ee1888ff84295e56f63eeeea62e606f838235b0179ba7ac94dadca3
                                        • Instruction ID: 7ca08c7f22d5f9ceb13778137b041f994ab5147ec667205d62d77403ce3d1ee2
                                        • Opcode Fuzzy Hash: 913416019ee1888ff84295e56f63eeeea62e606f838235b0179ba7ac94dadca3
                                        • Instruction Fuzzy Hash: 77C08C34309201528A64EA62A844E2FA3C82FA0749B44E82D3486E2805CA20EC18D660
                                        Function 00ECFF40 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7fa0f1363769a7409018670b2ad7eb92055c24e737308c12408d7f4aa4e0df5f
                                        • Instruction ID: e0677a5a359e6f8f868840db47d58da2bf60d5ad5f9a33f79f92eb6480f7a126
                                        • Opcode Fuzzy Hash: 7fa0f1363769a7409018670b2ad7eb92055c24e737308c12408d7f4aa4e0df5f
                                        • Instruction Fuzzy Hash:
                                        Function 00FE3190 Relevance: 80.7, APIs: 38, Strings: 8, Instructions: 212COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_type.XLLUARUNTIME(?,00000001), ref: 00FE319B
                                        • _time64.MSVCR90 ref: 00FE31A9
                                        • luaL_checktype.XLLUARUNTIME(?,00000001,00000005), ref: 00FE31BD
                                        • lua_settop.XLLUARUNTIME(?,00000001,?,00000001,00000005), ref: 00FE31C5
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,sec,?,00000001,?,00000001,00000005), ref: 00FE31D2
                                        • lua_isnumber.XLLUARUNTIME(?,000000FF,?,000000FF,sec,?,00000001,?,00000001,00000005), ref: 00FE31DA
                                        • lua_tointeger.XLLUARUNTIME(?,000000FF), ref: 00FE31E9
                                        • lua_settop.XLLUARUNTIME(?,000000FE), ref: 00FE31FA
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,min,?,000000FE), ref: 00FE320B
                                        • lua_isnumber.XLLUARUNTIME(?,000000FF,?,000000FF,min,?,000000FE), ref: 00FE3213
                                        • lua_tointeger.XLLUARUNTIME(?,000000FF), ref: 00FE3222
                                        • lua_settop.XLLUARUNTIME(?,000000FE), ref: 00FE3233
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,hour,?,000000FE), ref: 00FE3244
                                        • lua_isnumber.XLLUARUNTIME(?,000000FF,?,000000FF,hour,?,000000FE), ref: 00FE324C
                                        • lua_tointeger.XLLUARUNTIME(?,000000FF), ref: 00FE325B
                                        • lua_settop.XLLUARUNTIME(?,000000FE), ref: 00FE326F
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,day,?,000000FE), ref: 00FE3280
                                        • lua_isnumber.XLLUARUNTIME(?,000000FF,?,000000FF,day,?,000000FE), ref: 00FE3288
                                        • lua_tointeger.XLLUARUNTIME(?,000000FF), ref: 00FE3297
                                        • lua_settop.XLLUARUNTIME(?,000000FE,?,000000FF), ref: 00FE32A1
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,month), ref: 00FE32CC
                                        • lua_isnumber.XLLUARUNTIME(?,000000FF,?,000000FF,month), ref: 00FE32D4
                                        • lua_pushnil.XLLUARUNTIME(?), ref: 00FE33BB
                                        • lua_pushnumber.XLLUARUNTIME(?), ref: 00FE33D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfieldlua_isnumberlua_settop$lua_tointeger$L_checktype_time64lua_pushnillua_pushnumberlua_type
                                        • String ID: day$field '%s' missing in date table$hour$isdst$min$month$sec$year
                                        • API String ID: 1683707124-428864666
                                        • Opcode ID: 8405a0bc86e45f251841671fc8b28e2353ad974b0ab2ae9dc4dd72e5bb1b37ad
                                        • Instruction ID: 939433230d5d907cf1a6279c95a34dc43f912ee7af088bd14f3c85c837b1e8bc
                                        • Opcode Fuzzy Hash: 8405a0bc86e45f251841671fc8b28e2353ad974b0ab2ae9dc4dd72e5bb1b37ad
                                        • Instruction Fuzzy Hash: 63515072919A2176DA0136291C0BF6E345A0E47B76FBC0716F434B23E6FE69920171AB
                                        Function 00FE24F0 Relevance: 80.6, APIs: 31, Strings: 15, Instructions: 150COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_newmetatable.XLLUARUNTIME(?,_LOADLIB), ref: 00FE24FC
                                          • Part of subcall function 00FD65E0: lua_getfield.XLLUARUNTIME(00000000,FFFFD8F0,?,?,00000000,00FC3332,00000000,?,00000000,00000000,00000000,00FD2F36,?,?,00000000,00000000), ref: 00FD65F1
                                          • Part of subcall function 00FD65E0: lua_type.XLLUARUNTIME(00000000,000000FF,00000000,FFFFD8F0,?,?,00000000,00FC3332,00000000,?,00000000,00000000,00000000,00FD2F36,?,?), ref: 00FD65F9
                                        • lua_pushcclosure.XLLUARUNTIME(?,00FE1C10,00000000,?,_LOADLIB), ref: 00FE2509
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,__gc,?,00FE1C10,00000000,?,_LOADLIB), ref: 00FE2516
                                        • luaL_register.XLLUARUNTIME(?,package,00FF2EE4,?,000000FE,__gc,?,00FE1C10,00000000,?,_LOADLIB), ref: 00FE2526
                                          • Part of subcall function 00FD7600: luaL_openlib.XLLUARUNTIME(?,?,?,00000000,00FCFEB5,00000000,Xunlei.LuaRuntime.Int64,00FF1960,?,?,00FD0161,?), ref: 00FD7611
                                        • lua_pushvalue.XLLUARUNTIME(?,000000FF,?,package,00FF2EE4,?,000000FE,__gc,?,00FE1C10,00000000,?,_LOADLIB), ref: 00FE252E
                                        • lua_replace.XLLUARUNTIME(?,FFFFD8EF,?,000000FF,?,package,00FF2EE4,?,000000FE,__gc,?,00FE1C10,00000000,?,_LOADLIB), ref: 00FE2539
                                        • lua_createtable.XLLUARUNTIME(?,00000000,00000004,?,FFFFD8EF,?,000000FF,?,package,00FF2EE4,?,000000FE,__gc,?,00FE1C10,00000000), ref: 00FE2543
                                        • lua_pushcclosure.XLLUARUNTIME(?,00FE2070,00000000), ref: 00FE255A
                                        • lua_rawseti.XLLUARUNTIME(?,000000FE,00000001,?,00FE2070,00000000), ref: 00FE2564
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,loaders), ref: 00FE257F
                                        • getenv.MSVCR90 ref: 00FE258F
                                        • lua_pushstring.XLLUARUNTIME(?,.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua), ref: 00FE259E
                                        • luaL_gsub.XLLUARUNTIME(?,00000000,00FF3134,00FF3138), ref: 00FE25B4
                                        • luaL_gsub.XLLUARUNTIME(?,00000000,00FF3130,.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua,?,00000000,00FF3134,00FF3138), ref: 00FE25C5
                                        • lua_remove.XLLUARUNTIME(?,000000FE,?,00000000,00FF3130,.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua,?,00000000,00FF3134,00FF3138), ref: 00FE25CD
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,path), ref: 00FE25E2
                                        • getenv.MSVCR90 ref: 00FE25EC
                                        • lua_pushstring.XLLUARUNTIME(?,.\?.dll;!\?.dll;!\loadall.dll), ref: 00FE25FB
                                        • luaL_gsub.XLLUARUNTIME(?,00000000,00FF3134,00FF3138), ref: 00FE2611
                                        • luaL_gsub.XLLUARUNTIME(?,00000000,00FF3130,.\?.dll;!\?.dll;!\loadall.dll,?,00000000,00FF3134,00FF3138), ref: 00FE2622
                                        • lua_remove.XLLUARUNTIME(?,000000FE,?,00000000,00FF3130,.\?.dll;!\?.dll;!\loadall.dll,?,00000000,00FF3134,00FF3138), ref: 00FE262A
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,cpath), ref: 00FE263F
                                        • lua_pushlstring.XLLUARUNTIME(?,\;?!-,00000009,?,000000FE,cpath), ref: 00FE264C
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,config,?,\;?!-,00000009,?,000000FE,cpath), ref: 00FE2659
                                        • luaL_findtable.XLLUARUNTIME(?,FFFFD8F0,_LOADED,00000002,?,000000FE,config,?,\;?!-,00000009,?,000000FE,cpath), ref: 00FE266B
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,loaded,?,FFFFD8F0,_LOADED,00000002,?,000000FE,config,?,\;?!-,00000009,?,000000FE,cpath), ref: 00FE2678
                                        • lua_createtable.XLLUARUNTIME(?,00000000,00000000), ref: 00FE2685
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,preload,?,00000000,00000000), ref: 00FE2692
                                        • lua_pushvalue.XLLUARUNTIME(?,FFFFD8EE,?,000000FE,preload,?,00000000,00000000), ref: 00FE269D
                                        • luaL_register.XLLUARUNTIME(?,00000000,00FF2EFC,?,FFFFD8EE,?,000000FE,preload,?,00000000,00000000), ref: 00FE26AA
                                        • lua_settop.XLLUARUNTIME(?,000000FE,?,00000000,00FF2EFC,?,FFFFD8EE,?,000000FE,preload,?,00000000,00000000), ref: 00FE26B2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_setfield$L_gsub$L_registergetenvlua_createtablelua_pushcclosurelua_pushstringlua_pushvaluelua_remove$L_findtableL_newmetatableL_openliblua_getfieldlua_pushlstringlua_rawsetilua_replacelua_settoplua_type
                                        • String ID: .\?.dll;!\?.dll;!\loadall.dll$.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua$LUA_CPATH$LUA_PATH$\;?!-$_LOADED$_LOADLIB$__gc$config$cpath$loaded$loaders$package$path$preload
                                        • API String ID: 2371021541-613600958
                                        • Opcode ID: 22c294358d33ebdd2d410de7f34073fbdb5e6a028e16649f7bd3743fede13ab5
                                        • Instruction ID: a7135c27c0c92a82c3a6f8a83bbdcc0fe39ad8c23b66045d2473bf96719eb1e4
                                        • Opcode Fuzzy Hash: 22c294358d33ebdd2d410de7f34073fbdb5e6a028e16649f7bd3743fede13ab5
                                        • Instruction Fuzzy Hash: E6310170A8AA7931D55272251D03FAF340E0F93F65F680302F621742E2AE9DB71230AF
                                        Function 00FE20E0 Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checklstring.XLLUARUNTIME(?,00000001,00000000), ref: 00FE20EB
                                          • Part of subcall function 00FD70D0: lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                          • Part of subcall function 00FD70D0: lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                          • Part of subcall function 00FD70D0: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                        • lua_settop.XLLUARUNTIME(?,00000001,?,00000001,00000000), ref: 00FE20F5
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,_LOADED,?,00000001,?,00000001,00000000), ref: 00FE2105
                                        • lua_getfield.XLLUARUNTIME(?,00000002,00000000,?,FFFFD8F0,_LOADED,?,00000001,?,00000001,00000000), ref: 00FE210E
                                        • lua_toboolean.XLLUARUNTIME(?,000000FF,?,00000002,00000000,?,FFFFD8F0,_LOADED,?,00000001,?,00000001,00000000), ref: 00FE2116
                                        • lua_touserdata.XLLUARUNTIME(?,000000FF), ref: 00FE2125
                                        • luaL_error.XLLUARUNTIME(?,loop or previous error loading module '%s',00000000), ref: 00FE213F
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8EF,loaders), ref: 00FE215A
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,FFFFD8EF,loaders), ref: 00FE2162
                                        • luaL_error.XLLUARUNTIME(?,'package.loaders' must be a table), ref: 00FE2175
                                        • lua_pushlstring.XLLUARUNTIME(?,00FF17D3,00000000), ref: 00FE2186
                                        • lua_rawgeti.XLLUARUNTIME(?,000000FE,00000001), ref: 00FE2197
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,000000FE,00000001), ref: 00FE219F
                                        • lua_tolstring.XLLUARUNTIME(?,000000FE,00000000), ref: 00FE21AF
                                        • luaL_error.XLLUARUNTIME(?,module '%s' not found:%s,00000000,00000000,?,000000FE,00000000), ref: 00FE21BC
                                        • lua_pushstring.XLLUARUNTIME(?,00000000), ref: 00FE21C6
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,00000001,00000001,?,00000000), ref: 00FE21D8
                                        • lua_isstring.XLLUARUNTIME(?,000000FF), ref: 00FE21E8
                                        • lua_concat.XLLUARUNTIME(?,00000002), ref: 00FE21F7
                                        • lua_settop.XLLUARUNTIME(?,000000FE), ref: 00FE2205
                                        • lua_pushlightuserdata.XLLUARUNTIME(?,00FF2EE0), ref: 00FE2216
                                        • lua_setfield.XLLUARUNTIME(?,00000002,00000000,?,00FF2EE0), ref: 00FE221F
                                        • lua_pushstring.XLLUARUNTIME(?,00000000,?,00000002,00000000,?,00FF2EE0), ref: 00FE2226
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,00000001,00000001,?,00000000,?,00000002,00000000,?,00FF2EE0), ref: 00FE2238
                                        • lua_setfield.XLLUARUNTIME(?,00000002,00000000), ref: 00FE2249
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_type$L_errorlua_getfield$lua_concatlua_pushstringlua_setfieldlua_settoplua_tolstringlua_typename$L_argerrorL_checklstringL_wherelua_errorlua_isstringlua_pushlightuserdatalua_pushlstringlua_pushvfstringlua_rawgetilua_tobooleanlua_touserdata
                                        • String ID: 'package.loaders' must be a table$_LOADED$loaders$loop or previous error loading module '%s'$module '%s' not found:%s
                                        • API String ID: 1807688677-732368299
                                        • Opcode ID: 82d3f40d7be7b91f3775870d808665f1180ddb58f85ef2c370cbac3c9bb8115e
                                        • Instruction ID: 1b478f0f3e6c7c25f04a20c44463da08e20ca84bed5e1d1791fe2592f249eba1
                                        • Opcode Fuzzy Hash: 82d3f40d7be7b91f3775870d808665f1180ddb58f85ef2c370cbac3c9bb8115e
                                        • Instruction Fuzzy Hash: CC413B65946E2531D92231296C47F9F311E4F53B36FAC0312FA24743E7EA8D974260BB
                                        Function 00E4D940 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 311COMMON
                                        Download Yara Rule
                                        APIs
                                        • png_create_read_struct_2.LIBPNG13(1.2.50,00000000,00000000,00000000,00000000,00E7F5A0,00E4D810,61C1F77A), ref: 00E4D983
                                        • png_create_info_struct.LIBPNG13(00000000,?,?,?,61C1F77A), ref: 00E4D993
                                        • png_destroy_read_struct.LIBPNG13(?,?,00000000,?,?,?,?,?,?,?,?,?,61C1F77A), ref: 00E4D9A8
                                        • _setjmp3.MSVCR90 ref: 00E4D9D8
                                        • png_set_read_fn.LIBPNG13(?,?,00E4D820,?,?,?,?,?,?,?,?,?,61C1F77A), ref: 00E4DA18
                                        • png_set_error_fn.LIBPNG13(?,00000000,00E4D850,00000000,?,?,00E4D820), ref: 00E4DA28
                                        • png_read_info.LIBPNG13(?,?,?,00000000,00E4D850,00000000,?,?,00E4D820), ref: 00E4DA35
                                        • png_set_strip_16.LIBPNG13(?), ref: 00E4DA4A
                                        • png_set_gray_to_rgb.LIBPNG13(?), ref: 00E4DA7B
                                        • png_set_palette_to_rgb.LIBPNG13(?,?), ref: 00E4DA84
                                        • png_set_palette_to_rgb.LIBPNG13(?), ref: 00E4DA96
                                        • png_set_palette_to_rgb.LIBPNG13(?), ref: 00E4DAA7
                                        • png_set_gray_to_rgb.LIBPNG13(?), ref: 00E4DAC5
                                        • png_set_palette_to_rgb.LIBPNG13(?,?), ref: 00E4DACE
                                        • png_set_filler.LIBPNG13(?,000000FF,00000001), ref: 00E4DAE1
                                        • png_set_bgr.LIBPNG13(?), ref: 00E4DAF6
                                        • png_read_update_info.LIBPNG13(?,?), ref: 00E4DB06
                                        • longjmp.MSVCR90(?,00000001), ref: 00E4DB84
                                        • png_read_image.LIBPNG13(?,00000000), ref: 00E4DBCC
                                        • png_destroy_read_struct.LIBPNG13(?,?,00000000), ref: 00E4DBEB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: png_set_palette_to_rgb$png_destroy_read_structpng_set_gray_to_rgb$_setjmp3longjmppng_create_info_structpng_create_read_struct_2png_read_imagepng_read_infopng_read_update_infopng_set_bgrpng_set_error_fnpng_set_fillerpng_set_read_fnpng_set_strip_16
                                        • String ID: 1.2.50
                                        • API String ID: 388551500-3960229140
                                        • Opcode ID: 74a2dd845bcadbffd0d73888938f1b47b233889d18036908e08699d5c1ea4dec
                                        • Instruction ID: 1b3e2be0a971fbaea7eaea069877426235f5a538f078760a5d3ad0156d73e97f
                                        • Opcode Fuzzy Hash: 74a2dd845bcadbffd0d73888938f1b47b233889d18036908e08699d5c1ea4dec
                                        • Instruction Fuzzy Hash: 78A123B1E08218ABDF14EBA4EC86FBFB7B9EF84704F141569F509B7241D6319902C7A1
                                        Function 00FC3090 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 167COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checklstring.XLLUARUNTIME(?,00000001,00000000), ref: 00FC30A0
                                          • Part of subcall function 00FD70D0: lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                          • Part of subcall function 00FD70D0: lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                          • Part of subcall function 00FD70D0: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,?), ref: 00FC3170
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,FFFFD8F0,?), ref: 00FC3178
                                        • luaL_newmetatable.XLLUARUNTIME(?,?), ref: 00FC318A
                                        • lua_pushvalue.XLLUARUNTIME(?,000000FF,?,?), ref: 00FC3192
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,__index,?,000000FF,?,?), ref: 00FC319F
                                        • lua_pushstring.XLLUARUNTIME(?,?,?,000000FE,__index,?,000000FF,?,?), ref: 00FC31AA
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,__classname,?,?,?,000000FE,__index,?,000000FF,?,?), ref: 00FC31B7
                                        • luaL_register.XLLUARUNTIME(?,00000000,00000000,?,00000000,?,?), ref: 00FC31DD
                                        • lua_settop.XLLUARUNTIME(?,00000000), ref: 00FC31EE
                                        • lua_newuserdata.XLLUARUNTIME(?,00000004,?,00000000), ref: 00FC31F6
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,?,?,00000004,?,00000000), ref: 00FC320C
                                        • lua_setmetatable.XLLUARUNTIME(?,000000FE,?,FFFFD8F0,?,?,00000004,?,00000000), ref: 00FC3214
                                        • lua_pushboolean.XLLUARUNTIME(?,00000001,?,000000FE,?,FFFFD8F0,?,?,00000004,?,00000000), ref: 00FC321C
                                          • Part of subcall function 00FCB900: EnterCriticalSection.KERNEL32(?,?,?,?,00FD2B23), ref: 00FCB909
                                          • Part of subcall function 00FCB900: LeaveCriticalSection.KERNEL32(?,?,?,?,00FD2B23), ref: 00FCB919
                                        • lua_pushnil.XLLUARUNTIME(?), ref: 00FC3252
                                        • lua_pushboolean.XLLUARUNTIME(?,00000000,?), ref: 00FC325A
                                          • Part of subcall function 00FC2FC0: lua_getfield.XLLUARUNTIME(?,FFFFD8F0,XLLRT_RUNTIME,?,?,00FD2D5A,?), ref: 00FC2FD1
                                          • Part of subcall function 00FC2FC0: lua_touserdata.XLLUARUNTIME(?,000000FF,?,FFFFD8F0,XLLRT_RUNTIME,?,?,00FD2D5A,?), ref: 00FC2FD9
                                          • Part of subcall function 00FC2FC0: lua_settop.XLLUARUNTIME(?,000000FE,?,000000FF,?,FFFFD8F0,XLLRT_RUNTIME,?,?,00FD2D5A,?), ref: 00FC2FE3
                                          • Part of subcall function 00FCCC10: EnterCriticalSection.KERNEL32(00000024,E3DC3B0A,00000000,?,00000000,00000000,?,?,?,Function_0002FA00,000000FF,00FC30DB,?,00000000), ref: 00FCCC41
                                          • Part of subcall function 00FCCC10: LeaveCriticalSection.KERNEL32(00000024,?,?,?,?,?), ref: 00FCCD53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: CriticalSection$lua_getfield$EnterLeavelua_pushbooleanlua_setfieldlua_settoplua_typelua_typename$L_argerrorL_checklstringL_newmetatableL_registerlua_newuserdatalua_pushnillua_pushstringlua_pushvaluelua_setmetatablelua_tolstringlua_touserdata
                                        • String ID: __classname$__index
                                        • API String ID: 3177069667-10037376
                                        • Opcode ID: 3328abddb1cd3c67d347c82df628eec2bcb9cc77a4fc8419b4679979011d459b
                                        • Instruction ID: e4926e12d789b26ee081a91f812ef8fc25486f151a898c85faff968528d204dc
                                        • Opcode Fuzzy Hash: 3328abddb1cd3c67d347c82df628eec2bcb9cc77a4fc8419b4679979011d459b
                                        • Instruction Fuzzy Hash: 8B41F4706047057BC710BB249D42F6F73AAAFC5720F18462DF90567392DE3CEA05A6EA
                                        Function 00FD8190 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkany.XLLUARUNTIME(?,00000001), ref: 00FD8198
                                          • Part of subcall function 00FD70A0: lua_type.XLLUARUNTIME(?,?), ref: 00FD70AC
                                          • Part of subcall function 00FD70A0: luaL_argerror.XLLUARUNTIME(?,?,value expected), ref: 00FD70C0
                                        • luaL_callmeta.XLLUARUNTIME(?,00000001,__tostring,?,00000001), ref: 00FD81A5
                                          • Part of subcall function 00FD66D0: lua_gettop.XLLUARUNTIME(?), ref: 00FD66E8
                                          • Part of subcall function 00FD66D0: luaL_getmetafield.XLLUARUNTIME(?,?,?), ref: 00FD66FB
                                        • lua_type.XLLUARUNTIME(?,00000001), ref: 00FD81B8
                                        • lua_tolstring.XLLUARUNTIME(?,00000001,00000000), ref: 00FD81D1
                                        • lua_pushstring.XLLUARUNTIME(?,00000000,?,00000001,00000000), ref: 00FD81D8
                                        • lua_pushvalue.XLLUARUNTIME(?,00000001), ref: 00FD81EA
                                        • lua_toboolean.XLLUARUNTIME(?,00000001), ref: 00FD81FC
                                        • lua_pushstring.XLLUARUNTIME(?,true), ref: 00FD8214
                                        • lua_pushlstring.XLLUARUNTIME(?,nil,00000003), ref: 00FD822B
                                        • lua_topointer.XLLUARUNTIME(?,00000001), ref: 00FD823D
                                        • lua_type.XLLUARUNTIME(?,00000001,00000000), ref: 00FD8249
                                        • lua_typename.XLLUARUNTIME(?,00000000,?,00000001,00000000), ref: 00FD8250
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_type$lua_pushstring$L_argerrorL_callmetaL_checkanyL_getmetafieldlua_gettoplua_pushlstringlua_pushvaluelua_tobooleanlua_tolstringlua_topointerlua_typename
                                        • String ID: %s: %p$__tostring$false$nil$true
                                        • API String ID: 1790956452-3663562000
                                        • Opcode ID: 17e726cc40ca8b80d8f57b69b982ecd8188df13cf8d171b9f309506e5ed8fad5
                                        • Instruction ID: 0514f93abe7e8a59d937b282d8a5b7070ca4f9494f6022d3eb2f52182617888f
                                        • Opcode Fuzzy Hash: 17e726cc40ca8b80d8f57b69b982ecd8188df13cf8d171b9f309506e5ed8fad5
                                        • Instruction Fuzzy Hash: 22112475A5192476FA6131187C43FEE310B4F12B17F8C0062F904A93C7E68E9B9631EB
                                        Function 00E7FFF0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 313registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCR90 ref: 00E8004B
                                        • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,00000000), ref: 00E800A4
                                        • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,?,00000000), ref: 00E800BE
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E800C9
                                        • RegEnumValueW.ADVAPI32(?,?,?,?,00000000,?,?,?,?,00000000), ref: 00E80123
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 00E801D7
                                        • lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00E801FC
                                        • RegEnumValueW.ADVAPI32(?,00000001,?,?,00000000,?,?,?), ref: 00E8023E
                                        • wcsncpy.MSVCR90 ref: 00E802CB
                                        • wcsrchr.MSVCR90 ref: 00E80304
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E80355
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E8035C
                                        Strings
                                        • ), xrefs: 00E802EF
                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts, xrefs: 00E8006A
                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink, xrefs: 00E80055
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: CloseEnumValue$Open$lstrcmpimemsetwcsncpywcsrchr
                                        • String ID: )$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
                                        • API String ID: 3496336313-354869487
                                        • Opcode ID: ddebd19692fc64350d4c9c70b494349ead3a41e5958e1e17693a236897c22065
                                        • Instruction ID: 5b3913ca7d15aca87e0c5ad9d3d43b3f73eda96b2047cad1945476f46bf054ba
                                        • Opcode Fuzzy Hash: ddebd19692fc64350d4c9c70b494349ead3a41e5958e1e17693a236897c22065
                                        • Instruction Fuzzy Hash: 2FB19EB2504340AFD760DF54D880AABB7E9FF88318F04592EF58EA7251D7709A49CB92
                                        Function 00E651B0 Relevance: 24.2, APIs: 9, Strings: 7, Instructions: 248COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: sprintf
                                        • String ID: 5$$5$%d+(height-%d)/2$(height-%d)/2$height-%d$height-%d-(height-%d)/2$width
                                        • API String ID: 590974362-916181144
                                        • Opcode ID: ddece58ff38ccbc74c8094dabe0b2c3d72550a21332be3d3cd8e87148770f8f0
                                        • Instruction ID: 6e59a4f6e482a9a0a2bee3793f35f0641507977d2a414f3d355b354065972574
                                        • Opcode Fuzzy Hash: ddece58ff38ccbc74c8094dabe0b2c3d72550a21332be3d3cd8e87148770f8f0
                                        • Instruction Fuzzy Hash: 1C9159B2608740AFC714CFA8D880C6FBBE9EBC8754F409A1EF59997260D670E905CB52
                                        Function 00E64F00 Relevance: 24.2, APIs: 9, Strings: 7, Instructions: 234COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: sprintf
                                        • String ID: 5$$5$%d+(width-%d)/2$(width-%d)/2$height$width-%d$width-%d-(width-%d)/2
                                        • API String ID: 590974362-326185238
                                        • Opcode ID: 160b9943f7ccd368ae1b726f6a6f01a12de875852392edd02fa19288c9a6ff0d
                                        • Instruction ID: 9a74d1fb8d804d13e90d08ef8f703d09996aea6d8cdf40fbc330749e88cbf742
                                        • Opcode Fuzzy Hash: 160b9943f7ccd368ae1b726f6a6f01a12de875852392edd02fa19288c9a6ff0d
                                        • Instruction Fuzzy Hash: E6817FB2618340AFC714CF68D880DABF7E9FBC8754F509A1EF19993291D670E905CB92
                                        Function 00FC41E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checklstring.XLLUARUNTIME(?,00000001,00000000,E3DC3B0A), ref: 00FC421F
                                          • Part of subcall function 00FD70D0: lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                          • Part of subcall function 00FD70D0: lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                          • Part of subcall function 00FD70D0: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                        • lua_tolstring.XLLUARUNTIME(?,00000002,00000000,?,00000001,00000000,E3DC3B0A), ref: 00FC422A
                                        • XLLRT_DebugCreateStackMemPool.XLLUARUNTIME(?), ref: 00FC42B2
                                        • XLLRT_DebugOutputLuaStack.XLLUARUNTIME(?,?), ref: 00FC42BD
                                        • XLLRT_DebugCreateLogs.XLLUARUNTIME(?), ref: 00FC42CB
                                        • XLLRT_DebugMemPoolGetLogs.XLLUARUNTIME(?,?,?), ref: 00FC42DA
                                        • XLLRT_DebugLogsPopNextLog.XLLUARUNTIME(?,?,?), ref: 00FC4306
                                        • XLLRT_DebugLogsPopNextLog.XLLUARUNTIME(?,?,?,?,?,?,?), ref: 00FC433E
                                        • XLLRT_DebugDestroyLogs.XLLUARUNTIME(?,?,?,?), ref: 00FC434C
                                        • XLLRT_DebugDesroyStackMemPool.XLLUARUNTIME(?,?,?,?), ref: 00FC4356
                                        • MessageBoxW.USER32(00000000,?,?,00000243), ref: 00FC4394
                                        Strings
                                        • ---Yes to check lua statck, No to debug, Cancel to ignore---, xrefs: 00FC435D
                                        • -----------lua stack-----------, xrefs: 00FC4458
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: Debug$Logs$PoolStack$CreateNextlua_tolstringlua_typename$DesroyDestroyL_argerrorL_checklstringMessageOutputlua_type
                                        • String ID: -----------lua stack-----------$---Yes to check lua statck, No to debug, Cancel to ignore---
                                        • API String ID: 1080134755-3212015147
                                        • Opcode ID: 996d0f8121b5ef8f794a346213b1b821cbb1b56029e71f5fe9cdd1115360d778
                                        • Instruction ID: 1ead067d8edf6d4c01d0f47948adbc8f50d12e80fd2ed5dff6f7c7cfeaffb0a0
                                        • Opcode Fuzzy Hash: 996d0f8121b5ef8f794a346213b1b821cbb1b56029e71f5fe9cdd1115360d778
                                        • Instruction Fuzzy Hash: 5871BEB19083819FD310DF64D992F6BB7E9AFC8710F44492EF58587241E778E908EB52
                                        Function 00FD3160 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_touserdata.XLLUARUNTIME(?,?,?,?,?,?,?,?,?), ref: 00FD3183
                                        • lua_objlen.XLLUARUNTIME(?,?), ref: 00FD31A1
                                        • lua_getmetatable.XLLUARUNTIME(?,?), ref: 00FD31E3
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,__classname), ref: 00FD31FB
                                        • lua_tolstring.XLLUARUNTIME(?,000000FF,00000000,?,000000FF,__classname), ref: 00FD3205
                                        • lua_settop.XLLUARUNTIME(?,000000FD,00000000,?), ref: 00FD323C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfieldlua_getmetatablelua_objlenlua_settoplua_tolstringlua_touserdata
                                        • String ID: "$#$__classname
                                        • API String ID: 1184533429-373965598
                                        • Opcode ID: a38e138ca8d3e9efad2decea748f8998cdb86e8a38b21738e41d6386bcc4daf4
                                        • Instruction ID: 1996a497fee98e3bb5bc7c152979a9f47a533effc2d9487bbf43a5b1190ea7ef
                                        • Opcode Fuzzy Hash: a38e138ca8d3e9efad2decea748f8998cdb86e8a38b21738e41d6386bcc4daf4
                                        • Instruction Fuzzy Hash: 7341B032B0530A57C600EB58EC86E6F73999FC5336F08062EF15157382DB3AD609A7E2
                                        Function 00FD8470 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_checkstack.XLLUARUNTIME ref: 00FD8481
                                        • lua_xmove.XLLUARUNTIME ref: 00FD84C0
                                        • lua_setlevel.XLLUARUNTIME ref: 00FD84C7
                                        • lua_resume.XLLUARUNTIME ref: 00FD84CE
                                        • lua_xmove.XLLUARUNTIME(?,?,00000001), ref: 00FD84E3
                                        • lua_gettop.XLLUARUNTIME ref: 00FD84F3
                                        • lua_checkstack.XLLUARUNTIME(?,00000001), ref: 00FD84FF
                                        • luaL_error.XLLUARUNTIME(?,too many arguments to resume), ref: 00FD8493
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • luaL_error.XLLUARUNTIME(?,too many results to resume), ref: 00FD8511
                                        • lua_xmove.XLLUARUNTIME(?,?,00000000), ref: 00FD851C
                                        Strings
                                        • too many arguments to resume, xrefs: 00FD848D
                                        • too many results to resume, xrefs: 00FD850B
                                        • cannot resume %s coroutine, xrefs: 00FD84A8
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_xmove$L_errorlua_checkstack$L_wherelua_concatlua_errorlua_gettoplua_pushvfstringlua_resumelua_setlevel
                                        • String ID: cannot resume %s coroutine$too many arguments to resume$too many results to resume
                                        • API String ID: 3545457739-823306324
                                        • Opcode ID: f30648bbdf2490e9d68c55d4d9de7e89bcde0ab4d9bfddf816b511db16f0034b
                                        • Instruction ID: d83f996e40f6929bc816bf0e57212033d67c362860e63914eeb619e9f7e22ddf
                                        • Opcode Fuzzy Hash: f30648bbdf2490e9d68c55d4d9de7e89bcde0ab4d9bfddf816b511db16f0034b
                                        • Instruction Fuzzy Hash: D911E56690122537D51132783C87EBB335E8D93BA970C0227F904913A7FF4EA94170F6
                                        Function 00EA71D0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 257stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,%!PS-Adobe-3.0 Resource-CIDFont,0000001F), ref: 00EA7229
                                        • strncmp.MSVCR90(?,StartData,00000009), ref: 00EA72C8
                                        • strncmp.MSVCR90(?,/sfnts,00000006), ref: 00EA72DF
                                        • memmove.MSVCR90 ref: 00EA72F5
                                        • strncmp.MSVCR90(?,StartData,00000009), ref: 00EA73E8
                                        • strncmp.MSVCR90(?,/sfnts,00000006), ref: 00EA7403
                                        • strncmp.MSVCR90(?,(Hex),00000005), ref: 00EA7490
                                        • atol.MSVCR90(?), ref: 00EA749E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp$atolmemmove
                                        • String ID: %!PS-Adobe-3.0 Resource-CIDFont$(Hex)$/sfnts$StartData
                                        • API String ID: 3562715906-2034626156
                                        • Opcode ID: 332c42ae18db65c55a063066384c0eae62766a787b399e5bdda3e21e790d2344
                                        • Instruction ID: 0c58dd65b5a4b044732eec600373aeba3fda20d83f6d8b07cb912bc94181d2b0
                                        • Opcode Fuzzy Hash: 332c42ae18db65c55a063066384c0eae62766a787b399e5bdda3e21e790d2344
                                        • Instruction Fuzzy Hash: 1281D4716083055FD720EF24DC84B6BB7E4EF89714F04452DFC99AB242E675FA0987A2
                                        Function 00E649E0 Relevance: 21.2, APIs: 8, Strings: 6, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: sprintf
                                        • String ID: 5$$5$(width-%d)/2$(width-%d)/2+%d$height$width-(width-%d)/2-%d
                                        • API String ID: 590974362-2393546187
                                        • Opcode ID: 6076537683893df38e0dd59bdccd615bf697f8dbabb46c2e6684c1fd3fa584d4
                                        • Instruction ID: d80a86c3cc8a49ef3dca87dc2f261a12c488e06991648bde1c83438d023bddf6
                                        • Opcode Fuzzy Hash: 6076537683893df38e0dd59bdccd615bf697f8dbabb46c2e6684c1fd3fa584d4
                                        • Instruction Fuzzy Hash: F68105B1548341AFC710DF69EC84AABB7E8EFC8354F044A1EF59593291E731D908CBA2
                                        Function 00E64C80 Relevance: 21.2, APIs: 8, Strings: 6, Instructions: 222COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: sprintf
                                        • String ID: 5$$5$(height-%d)/2$(height-%d)/2+%d$height-(height-%d)/2-%d$width
                                        • API String ID: 590974362-2187022414
                                        • Opcode ID: 6d49ed716881d0007edc7cf092bd15f62a8c28ca1cfe23a522e9dba8d9deeef7
                                        • Instruction ID: 24f8cc5d27505317a2011a2fe34ba8c120ec1af7cba787d01afbf0923a4eadff
                                        • Opcode Fuzzy Hash: 6d49ed716881d0007edc7cf092bd15f62a8c28ca1cfe23a522e9dba8d9deeef7
                                        • Instruction Fuzzy Hash: DF7173B15043409FD720DF64EC84EABB7E8FBC8754F049A0DF59997291D631DA08CBA2
                                        Function 00E7F8B0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: wcsncpy$memsetwcsstr
                                        • String ID: @
                                        • API String ID: 825764456-2766056989
                                        • Opcode ID: 963d6af7e298da98d4a24dcf5a3b446f1db9bed14ff9a6bb8a1e2ffa3430b5ed
                                        • Instruction ID: f2a3accb267fb05a62a878374b14a2ed2ab35764b97b4f6827c537f34513b9c2
                                        • Opcode Fuzzy Hash: 963d6af7e298da98d4a24dcf5a3b446f1db9bed14ff9a6bb8a1e2ffa3430b5ed
                                        • Instruction Fuzzy Hash: 5A418671904345ABDB24DF64DC81AEB77E8EFC8300F00592EE94AA7240E775D5098B92
                                        Function 00FDF150 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 92filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_checklstring_errnofprintffwritelua_gettoplua_pushbooleanlua_pushintegerlua_pushnillua_tonumberlua_typestrerror
                                        • String ID: %.14g
                                        • API String ID: 2522848508-3267037135
                                        • Opcode ID: 1efab1bc8495cbe12ea4e50c09f1bc50392f56076e9403b6e0f37c0c5974a0e3
                                        • Instruction ID: 76a270396ad158c4ecd4694d15bf52486b10c941b62256146f8de2f5411d91e9
                                        • Opcode Fuzzy Hash: 1efab1bc8495cbe12ea4e50c09f1bc50392f56076e9403b6e0f37c0c5974a0e3
                                        • Instruction Fuzzy Hash: B121FB72C00204EBE2106724DC86F7B736EDF51B25F8C052BFD0697352E6659D54B6A2
                                        Function 00FCF480 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_isuserdata.XLLUARUNTIME(?,00000001), ref: 00FCF48E
                                        • lua_tointeger.XLLUARUNTIME(?,00000001), ref: 00FCF4A4
                                        • lua_isuserdata.XLLUARUNTIME(?,00000002), ref: 00FCF4B8
                                        • lua_tointeger.XLLUARUNTIME(?,00000002), ref: 00FCF4CE
                                        • lua_newuserdata.XLLUARUNTIME(?,00000008), ref: 00FCF4DE
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,_LOADED,00000000,?,?,?), ref: 00FCF509
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,00000000,?,?,?), ref: 00FCF516
                                        • lua_setmetatable.XLLUARUNTIME(?,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,00000000,?,?,?), ref: 00FCF51E
                                        • lua_settop.XLLUARUNTIME(?,000000FE,?,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,00000000,?,?,?), ref: 00FCF526
                                          • Part of subcall function 00FCF1C0: lua_touserdata.XLLUARUNTIME(?,?,?,?,?,00FCFE3F,?,?), ref: 00FCF1CD
                                          • Part of subcall function 00FCF1C0: lua_getmetatable.XLLUARUNTIME(?,?), ref: 00FCF1DD
                                          • Part of subcall function 00FCF1C0: lua_getfield.XLLUARUNTIME(?,FFFFD8F0,_LOADED), ref: 00FCF1F4
                                          • Part of subcall function 00FCF1C0: lua_getfield.XLLUARUNTIME(?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED), ref: 00FCF201
                                          • Part of subcall function 00FCF1C0: lua_rawequal.XLLUARUNTIME(?,000000FF,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED), ref: 00FCF20B
                                          • Part of subcall function 00FCF1C0: lua_settop.XLLUARUNTIME(?,000000FC), ref: 00FCF21A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfield$lua_isuserdatalua_settoplua_tointeger$lua_getmetatablelua_newuserdatalua_rawequallua_setmetatablelua_touserdata
                                        • String ID: Xunlei.LuaRuntime.Int64$_LOADED
                                        • API String ID: 2764434586-3892714049
                                        • Opcode ID: 4c8aac07075a2655cae7c17883f27ac8e22e12ce01181265828b0e6971b3b5fd
                                        • Instruction ID: f4898dc4f4cad73074e3574bbd96e4fb2a54e7533d39d9a80b5b759c1969768c
                                        • Opcode Fuzzy Hash: 4c8aac07075a2655cae7c17883f27ac8e22e12ce01181265828b0e6971b3b5fd
                                        • Instruction Fuzzy Hash: B31159719457127AD604B7249C03F9F758E4F56B62F680137F904A23C2E99DA50862F7
                                        Function 00FDE5D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkany.XLLUARUNTIME(?,00000001), ref: 00FDE5D9
                                          • Part of subcall function 00FD70A0: lua_type.XLLUARUNTIME(?,?), ref: 00FD70AC
                                          • Part of subcall function 00FD70A0: luaL_argerror.XLLUARUNTIME(?,?,value expected), ref: 00FD70C0
                                        • lua_touserdata.XLLUARUNTIME(?,00000001,?,00000001), ref: 00FDE5E1
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,FILE*,?,00000001,?,00000001), ref: 00FDE5F3
                                        • lua_getmetatable.XLLUARUNTIME(?,00000001), ref: 00FDE602
                                        • lua_rawequal.XLLUARUNTIME(?,000000FE,000000FF), ref: 00FDE613
                                        • lua_pushlstring.XLLUARUNTIME(?,closed file,0000000B), ref: 00FDE62C
                                        • lua_pushlstring.XLLUARUNTIME(?,file,00000004), ref: 00FDE644
                                        • lua_pushnil.XLLUARUNTIME(?), ref: 00FDE655
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_pushlstring$L_argerrorL_checkanylua_getfieldlua_getmetatablelua_pushnillua_rawequallua_touserdatalua_type
                                        • String ID: FILE*$closed file$file
                                        • API String ID: 629077095-1636238272
                                        • Opcode ID: d84a2a5dd7cfae07c8041835a1e40dba4f2d9867259e67b7822220af5cffa196
                                        • Instruction ID: 53d931f807cbfc8b4a7556ca19d9e90f012f7dcb3228b043f61ee31f009e6afe
                                        • Opcode Fuzzy Hash: d84a2a5dd7cfae07c8041835a1e40dba4f2d9867259e67b7822220af5cffa196
                                        • Instruction Fuzzy Hash: 40016772A6562531D921311CBC03FDF724B4F62B36F5C0123F900693D6E6D9D58670AB
                                        Function 00EC7B00 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 242stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(00000000,width,?,?,00000000,61C1F77A), ref: 00EC7B98
                                        • strncmp.MSVCR90(00000000,height,?), ref: 00EC7C00
                                        • strncmp.MSVCR90(00000000,right,?), ref: 00EC7C68
                                          • Part of subcall function 00EC91B0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00EC91D9
                                        • strncmp.MSVCR90(00000000,bottom,?), ref: 00EC7CD0
                                        • strncmp.MSVCR90(00000000,left,?), ref: 00EC7D38
                                          • Part of subcall function 00EC95F0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00EC9619
                                        • strncmp.MSVCR90(00000000,top,?), ref: 00EC7D9D
                                          • Part of subcall function 00EC99B0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00EC99D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: ProcessorVirtualstrncmp$Concurrency::RootRoot::
                                        • String ID: bottom$height$left$right$top$width
                                        • API String ID: 3925363580-3615874499
                                        • Opcode ID: ad73999adf71e00208d0799401638cabdeb396e51207aca044a2c2a2b09749a9
                                        • Instruction ID: 2e9b9f19f02f22e34caa89f54d92dd0dadf1d1496bc84d1c8846bef96befab19
                                        • Opcode Fuzzy Hash: ad73999adf71e00208d0799401638cabdeb396e51207aca044a2c2a2b09749a9
                                        • Instruction Fuzzy Hash: 36A1E0B0D0520ADFDB04CFE8DA45BEEBBB5AB48304F20522DE516BB281D7355A06CF51
                                        Function 00E4FEF0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateCompatibleDC.GDI32(?), ref: 00E4FF0D
                                        • CreateDIBSection.GDI32 ref: 00E4FF75
                                        • SelectObject.GDI32(00000000,00000000), ref: 00E4FF84
                                        • SetRect.USER32(?,00000000,00000000,?,?), ref: 00E4FF93
                                        • SetRect.USER32(?,?,?), ref: 00E4FFB6
                                        • XL_PaintBitmap.MSVCR90(00000000,?,00000000,00000000), ref: 00E4FFCC
                                        • AlphaBlend.MSIMG32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 00E4FFFD
                                        • DeleteDC.GDI32(00000000), ref: 00E50004
                                        • DeleteObject.GDI32(?), ref: 00E50012
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: CreateDeleteObjectRect$AlphaBitmapBlendCompatiblePaintSectionSelect
                                        • String ID: (
                                        • API String ID: 2359953928-3887548279
                                        • Opcode ID: 5f6604f4084ed5b151bfb41ac520aaa19b6b64f0668b0bd937ec606375f22958
                                        • Instruction ID: 6fecd3c979e8cbd42d67055d7b0ac9aa294f901fb032a459ec5149feae754424
                                        • Opcode Fuzzy Hash: 5f6604f4084ed5b151bfb41ac520aaa19b6b64f0668b0bd937ec606375f22958
                                        • Instruction Fuzzy Hash: 7131C9B1519344AFD320DF66D848EABBBECFBC9700F00491EF68593210DA71A909CB66
                                        Function 00FDF0A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_touserdata.XLLUARUNTIME(?,FFFFD8ED), ref: 00FDF0AD
                                        • luaL_error.XLLUARUNTIME(?,file is already closed), ref: 00FDF0C1
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • ferror.MSVCR90 ref: 00FDF0D3
                                        • _errno.MSVCR90 ref: 00FDF0E0
                                        • strerror.MSVCR90 ref: 00FDF0E9
                                        • luaL_error.XLLUARUNTIME(?,00FF21AC,00000000), ref: 00FDF0F6
                                        • lua_toboolean.XLLUARUNTIME(?,FFFFD8EC), ref: 00FDF115
                                        • lua_settop.XLLUARUNTIME(?,00000000), ref: 00FDF124
                                        • lua_pushvalue.XLLUARUNTIME(?,FFFFD8ED,?,00000000), ref: 00FDF12F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_error$L_where_errnoferrorlua_concatlua_errorlua_pushvaluelua_pushvfstringlua_settoplua_tobooleanlua_touserdatastrerror
                                        • String ID: file is already closed
                                        • API String ID: 2835130823-1126627374
                                        • Opcode ID: 094294454bab07173e7850678707b5897ccccda7c6aa38391f3af547f9a74cb0
                                        • Instruction ID: d05a463cbe945ace1729fd4012c8ba43c40e5646ea49adedf2cac35b01f812ff
                                        • Opcode Fuzzy Hash: 094294454bab07173e7850678707b5897ccccda7c6aa38391f3af547f9a74cb0
                                        • Instruction Fuzzy Hash: 43014766A0152067DA0037A8BC42FAF365E9F82327F4C0033FA04D3353F6199519B1FA
                                        Function 00FDF430 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 58stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_rawgeti.XLLUARUNTIME(?,FFFFD8EF,00000002), ref: 00FDF43F
                                        • lua_touserdata.XLLUARUNTIME(?,000000FF,?,FFFFD8EF,00000002), ref: 00FDF447
                                        • luaL_error.XLLUARUNTIME(?,standard %s file is closed,00FF2870), ref: 00FDF461
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • fflush.MSVCR90 ref: 00FDF46A
                                        • _errno.MSVCR90 ref: 00FDF47A
                                        • lua_pushboolean.XLLUARUNTIME(?,00000001), ref: 00FDF489
                                        • lua_pushnil.XLLUARUNTIME(?), ref: 00FDF49B
                                        • strerror.MSVCR90 ref: 00FDF4A1
                                        • lua_pushinteger.XLLUARUNTIME(?,?,?,00FF21AC,00000000,?,?), ref: 00FDF4B5
                                        Strings
                                        • standard %s file is closed, xrefs: 00FDF45B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_errorL_where_errnofflushlua_concatlua_errorlua_pushbooleanlua_pushintegerlua_pushnillua_pushvfstringlua_rawgetilua_touserdatastrerror
                                        • String ID: standard %s file is closed
                                        • API String ID: 3796235457-758085179
                                        • Opcode ID: 9a04fbf1c87291432b16b8e980d7569a0042a270d9fd049563eaa18b6907b676
                                        • Instruction ID: f621cb16dfd4ec8125a96004bd87a030d23a9bae6dcc009e4fd4fe25918cf039
                                        • Opcode Fuzzy Hash: 9a04fbf1c87291432b16b8e980d7569a0042a270d9fd049563eaa18b6907b676
                                        • Instruction Fuzzy Hash: 0F01F77290052477D6127718AC82F7F332D9F82F26F4C0226FA11AB393D7595911B2F2
                                        Function 00FDF4D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkudata.XLLUARUNTIME(?,00000001,FILE*), ref: 00FDF4DF
                                          • Part of subcall function 00FD6FC0: lua_touserdata.XLLUARUNTIME(?,?), ref: 00FD6FCE
                                          • Part of subcall function 00FD6FC0: lua_getmetatable.XLLUARUNTIME(?,?), ref: 00FD6FE2
                                          • Part of subcall function 00FD6FC0: lua_getfield.XLLUARUNTIME(?,FFFFD8F0,?), ref: 00FD6FF5
                                          • Part of subcall function 00FD6FC0: lua_rawequal.XLLUARUNTIME(?,000000FF,000000FE,?,FFFFD8F0,?), ref: 00FD6FFF
                                          • Part of subcall function 00FD6FC0: lua_settop.XLLUARUNTIME(?,000000FD), ref: 00FD700E
                                        • luaL_error.XLLUARUNTIME(?,attempt to use a closed file), ref: 00FDF4F4
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • fflush.MSVCR90 ref: 00FDF4FF
                                        • _errno.MSVCR90 ref: 00FDF50F
                                        • lua_pushboolean.XLLUARUNTIME(?,00000001), ref: 00FDF51E
                                        • lua_pushnil.XLLUARUNTIME(?), ref: 00FDF530
                                        • strerror.MSVCR90 ref: 00FDF536
                                        • lua_pushinteger.XLLUARUNTIME(?,?,?,00FF21AC,00000000,?,?), ref: 00FDF54A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_checkudataL_errorL_where_errnofflushlua_concatlua_errorlua_getfieldlua_getmetatablelua_pushbooleanlua_pushintegerlua_pushnillua_pushvfstringlua_rawequallua_settoplua_touserdatastrerror
                                        • String ID: FILE*$attempt to use a closed file
                                        • API String ID: 618006575-999929173
                                        • Opcode ID: d875a7b98b82345a7a354ec837ecabe60ca9f92209df5d8d36b59e81e0ff393c
                                        • Instruction ID: 9259dee30e3f8c21cfd473add34141c0099f85dc013c4bcc5950bae0aad5694d
                                        • Opcode Fuzzy Hash: d875a7b98b82345a7a354ec837ecabe60ca9f92209df5d8d36b59e81e0ff393c
                                        • Instruction Fuzzy Hash: 2C01D672900114A7D6213B14BC82F7F376D9F81F26F4C012AFA05A7352D79D5956B2E3
                                        Function 00E52A90 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90 ref: 00E52B4C
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52B94
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(00ED3484), ref: 00E52B9F
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52BFC
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52C65
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(00ED3484), ref: 00E52C70
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52CCD
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52D2C
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(00ED3484), ref: 00E52D37
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52D90
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52DDF
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: W@std@@$?assign@?$char_traits@_$?length@?$char_traits@_
                                        • String ID:
                                        • API String ID: 2115636358-0
                                        • Opcode ID: 58a2b36c29415b9dd48cc9d04ae3d5cbf3443e2613cd8f2eb14e5abd5e6b053c
                                        • Instruction ID: 2f5151570a324e9769cbad0ef8b3781fb3d3cca609bd8618d3dcd8d974bff652
                                        • Opcode Fuzzy Hash: 58a2b36c29415b9dd48cc9d04ae3d5cbf3443e2613cd8f2eb14e5abd5e6b053c
                                        • Instruction Fuzzy Hash: 66B143B14093419FC310DF64D981A6BFBE4FB89705F445D2EFA96A6212D734EA0CCB62
                                        Function 00FE81A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checklstring.XLLUARUNTIME(?,?,?), ref: 00FE81AA
                                          • Part of subcall function 00FD70D0: lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                          • Part of subcall function 00FD70D0: lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                          • Part of subcall function 00FD70D0: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                        • luaL_prepbuffer.XLLUARUNTIME ref: 00FE81FF
                                        • luaL_prepbuffer.XLLUARUNTIME ref: 00FE8213
                                        • luaL_addlstring.XLLUARUNTIME(?,00FF3BA4,00000002), ref: 00FE822B
                                          • Part of subcall function 00FD68D0: lua_pushlstring.XLLUARUNTIME(?,?), ref: 00FD6901
                                        • luaL_prepbuffer.XLLUARUNTIME ref: 00FE81BF
                                          • Part of subcall function 00FD6890: lua_pushlstring.XLLUARUNTIME(?,?), ref: 00FD68A8
                                        • luaL_prepbuffer.XLLUARUNTIME ref: 00FE8273
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_prepbuffer$lua_pushlstringlua_typename$L_addlstringL_argerrorL_checklstringlua_tolstringlua_type
                                        • String ID: \000
                                        • API String ID: 4179832134-2104200393
                                        • Opcode ID: a4393a9834cd8d314b87ca5a827874bc64b59f3e9ce325b90b87e2c540e33e3c
                                        • Instruction ID: 4677485903eccd61a0420031ea4ebe235804aef2536d26ba9b0f93381785b48c
                                        • Opcode Fuzzy Hash: a4393a9834cd8d314b87ca5a827874bc64b59f3e9ce325b90b87e2c540e33e3c
                                        • Instruction Fuzzy Hash: 2921D1B44046C1DFE7116F10EC42A66BBB5AF66381F28086EE6C947203E7395546FBA3
                                        Function 00FD0090 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_isuserdata.XLLUARUNTIME(?,00000001), ref: 00FD0098
                                        • lua_isuserdata.XLLUARUNTIME(?,00000002), ref: 00FD00A7
                                        • lua_isnumber.XLLUARUNTIME(?,00000002), ref: 00FD00C1
                                          • Part of subcall function 00FCF8F0: lua_pushboolean.XLLUARUNTIME(?,00000001), ref: 00FCF91F
                                        • lua_isnumber.XLLUARUNTIME(?,00000001), ref: 00FD00E8
                                        • lua_isuserdata.XLLUARUNTIME(?,00000002), ref: 00FD00F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_isuserdata$lua_isnumber$lua_pushboolean
                                        • String ID: invalid arg! int64 or number expect!
                                        • API String ID: 3364236900-3299302025
                                        • Opcode ID: fcb3adccb02f4a600ab12cda679dba742c539afefa90e5f0ce81ccae137b1754
                                        • Instruction ID: 4379f7d1acbadf25a7286ff6aa24b5dd2a59c1dc4cdb99a1ea68845773032908
                                        • Opcode Fuzzy Hash: fcb3adccb02f4a600ab12cda679dba742c539afefa90e5f0ce81ccae137b1754
                                        • Instruction Fuzzy Hash: 8211C066E51A2132ED2131243D07FDB350B0F11B56F8C4026F904683D7FACAAA9660F7
                                        Function 00FCF1C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_touserdata.XLLUARUNTIME(?,?,?,?,?,00FCFE3F,?,?), ref: 00FCF1CD
                                        • lua_getmetatable.XLLUARUNTIME(?,?), ref: 00FCF1DD
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,_LOADED), ref: 00FCF1F4
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED), ref: 00FCF201
                                        • lua_rawequal.XLLUARUNTIME(?,000000FF,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED), ref: 00FCF20B
                                        • lua_settop.XLLUARUNTIME(?,000000FC), ref: 00FCF21A
                                        • luaL_typerror.XLLUARUNTIME(?,?,Xunlei.LuaRuntime.Int64), ref: 00FCF232
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfield$L_typerrorlua_getmetatablelua_rawequallua_settoplua_touserdata
                                        • String ID: Xunlei.LuaRuntime.Int64$_LOADED
                                        • API String ID: 4014528307-3892714049
                                        • Opcode ID: 1116ce403570bb55ad646ed7617c1b5d65a94d74b981005c27a9af5c1ec13d54
                                        • Instruction ID: 488578c716eb932685a26027bb69fea8f5d94d18eeeb9a555b6ade23f86d4e63
                                        • Opcode Fuzzy Hash: 1116ce403570bb55ad646ed7617c1b5d65a94d74b981005c27a9af5c1ec13d54
                                        • Instruction Fuzzy Hash: F6F07DBA60693636450071186C42EAF735EAC817727284332F434E23C1EB2DEA1571F7
                                        Function 00FE2070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checklstring.XLLUARUNTIME(?,00000001,00000000), ref: 00FE207B
                                          • Part of subcall function 00FD70D0: lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                          • Part of subcall function 00FD70D0: lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                          • Part of subcall function 00FD70D0: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                          • Part of subcall function 00FD70D0: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8EF,preload,?,00000001,00000000), ref: 00FE208D
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,FFFFD8EF,preload,?,00000001,00000000), ref: 00FE2095
                                        • luaL_error.XLLUARUNTIME(?,'package.preload' must be a table), ref: 00FE20A8
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,00000000), ref: 00FE20B4
                                        • lua_type.XLLUARUNTIME(?,000000FF,?,000000FF,00000000), ref: 00FE20BC
                                        Strings
                                        • 'package.preload' must be a table, xrefs: 00FE20A2
                                        • no field package.preload['%s'], xrefs: 00FE20C9
                                        • preload, xrefs: 00FE2080
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_type$lua_getfieldlua_typename$L_argerrorL_checklstringL_errorL_wherelua_concatlua_errorlua_pushvfstringlua_tolstring
                                        • String ID: no field package.preload['%s']$'package.preload' must be a table$preload
                                        • API String ID: 3745296055-726884196
                                        • Opcode ID: 9a13f816231404b0882d12a626f15391651b067ad7cc1a56a6bcd7ae14b6e7f7
                                        • Instruction ID: d2c985829c977722a83b6d6ed3896e4edf03d3ec268cd066ceceb27508532b37
                                        • Opcode Fuzzy Hash: 9a13f816231404b0882d12a626f15391651b067ad7cc1a56a6bcd7ae14b6e7f7
                                        • Instruction Fuzzy Hash: 02F08271909A2031D53131292C03FAF355E4F92B35F580313F620713E6F998A64161AB
                                        Function 00FD3050 Relevance: 15.1, APIs: 10, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_newuserdata.XLLUARUNTIME(?,?), ref: 00FD305C
                                        • lua_gettop.XLLUARUNTIME(?), ref: 00FD308E
                                        • lua_getfield.XLLUARUNTIME ref: 00FD30A7
                                        • lua_type.XLLUARUNTIME(?,000000FF), ref: 00FD30AF
                                        • lua_settop.XLLUARUNTIME(?,?), ref: 00FD3110
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,?,?,?), ref: 00FD311C
                                        • lua_setmetatable.XLLUARUNTIME(?,000000FE,?,FFFFD8F0,?,?,?), ref: 00FD3124
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfield$lua_gettoplua_newuserdatalua_setmetatablelua_settoplua_type
                                        • String ID:
                                        • API String ID: 760869682-0
                                        • Opcode ID: ee58fd7f397db3aa41014af2fb964dcb3ba1c7dcb8f9e4d93bf4b771f220ca76
                                        • Instruction ID: dc883f03e0c5a65b2ed8262efb6abfd91f8cdf79bd274dad06a68135988abfb1
                                        • Opcode Fuzzy Hash: ee58fd7f397db3aa41014af2fb964dcb3ba1c7dcb8f9e4d93bf4b771f220ca76
                                        • Instruction Fuzzy Hash: 5721F8729095152AD601B6286C06F6F729F4FD2338F1C061BF41053393EA296E42A2F7
                                        Function 00FE7180 Relevance: 15.1, APIs: 10, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: isalnumisalphaiscntrlisdigitislowerispunctisspaceisupperisxdigittolower
                                        • String ID:
                                        • API String ID: 1429737575-0
                                        • Opcode ID: 5bf50a466e00c5ee288c4c5989c1f3cc4cda627dba157c195ffd600d9bec2360
                                        • Instruction ID: 6faf93b570c9d09a99ec61e5f5d908baae3cbad09bd56d8c683aa19d57280d99
                                        • Opcode Fuzzy Hash: 5bf50a466e00c5ee288c4c5989c1f3cc4cda627dba157c195ffd600d9bec2360
                                        • Instruction Fuzzy Hash: 66110AB38099B6EBDB10777D7C494AF35486D012A430D01B0F907F6214F6258D25FAE7
                                        Function 00E54E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00E54FD2
                                        • ?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z.MSVCP90(?,?), ref: 00E54FF2
                                        • ?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@I_W@Z.MSVCP90(00000001,0000002E), ref: 00E55023
                                        • ?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ.MSVCP90(?,?,?,00000001), ref: 00E5504E
                                        • ?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ.MSVCP90(00000000), ref: 00E55059
                                        • ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP90 ref: 00E55077
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: U?$char_traits@_V?$allocator@_W@2@@std@@W@std@@$?append@?$basic_string@_V12@$??0?$basic_string@_??1?$basic_string@_?c_str@?$basic_string@_?size@?$basic_string@_
                                        • String ID: ...
                                        • API String ID: 2097304461-440645147
                                        • Opcode ID: b8603eac14f84c9e9ebc249c38771e2e4429cc7efff2f9a462b8f2372927525e
                                        • Instruction ID: 8dbb08a7c9adda4d04300db07000806bdad2af24e5c660a31fb7c147d6a82df1
                                        • Opcode Fuzzy Hash: b8603eac14f84c9e9ebc249c38771e2e4429cc7efff2f9a462b8f2372927525e
                                        • Instruction Fuzzy Hash: 167137B55087019FC314CF29D880A6ABBF5FFD8315F105A1EF995932A0DB70D988CB62
                                        Function 00E7C380 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCR90 ref: 00E7C3A3
                                          • Part of subcall function 00E7C2B0: memset.MSVCR90 ref: 00E7C2D8
                                          • Part of subcall function 00E7C2B0: SystemParametersInfoW.USER32 ref: 00E7C2F3
                                          • Part of subcall function 00E7C2B0: wcsncpy.MSVCR90 ref: 00E7C31E
                                        • _wcsicmp.MSVCR90 ref: 00E7C3C4
                                        • _wcsicmp.MSVCR90 ref: 00E7C3D7
                                        • _wcsicmp.MSVCR90 ref: 00E7C3EA
                                          • Part of subcall function 00E7C1F0: memset.MSVCR90 ref: 00E7C21C
                                          • Part of subcall function 00E7C1F0: wcsncpy.MSVCR90 ref: 00E7C23C
                                          • Part of subcall function 00E7C1F0: GetDC.USER32(00000000), ref: 00E7C247
                                          • Part of subcall function 00E7C1F0: EnumFontFamiliesExW.GDI32 ref: 00E7C27F
                                          • Part of subcall function 00E7C1F0: ReleaseDC.USER32(00000000,00000000), ref: 00E7C288
                                        • wcsncpy.MSVCR90 ref: 00E7C45B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemsetwcsncpy$EnumFamiliesFontInfoParametersReleaseSystem
                                        • String ID: Microsoft YaHei$Microsoft YaHei UI$SimSun
                                        • API String ID: 380406342-1986890003
                                        • Opcode ID: ee6897c0125be561b7969137a03f4a5706c4453f9409a2e0a7aeca25f9567d04
                                        • Instruction ID: 9095ebd29a88bea0ef01c63eb3b2e3efe76643af30a6f739be86fcc045537319
                                        • Opcode Fuzzy Hash: ee6897c0125be561b7969137a03f4a5706c4453f9409a2e0a7aeca25f9567d04
                                        • Instruction Fuzzy Hash: D721A4B5A003007AD610DB649C92FBB73EDDFC4744F50991EF558B6282F6B1D60986A3
                                        Function 00FE2490 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checktype.XLLUARUNTIME(?,00000001,00000005), ref: 00FE249A
                                          • Part of subcall function 00FD7050: lua_type.XLLUARUNTIME(?,?), ref: 00FD705C
                                          • Part of subcall function 00FD7050: lua_typename.XLLUARUNTIME(?,?), ref: 00FD706F
                                          • Part of subcall function 00FD7050: lua_type.XLLUARUNTIME(?,?,?,?), ref: 00FD7078
                                          • Part of subcall function 00FD7050: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,?), ref: 00FD707F
                                          • Part of subcall function 00FD7050: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,?), ref: 00FD7094
                                        • lua_getmetatable.XLLUARUNTIME(?,00000001,?,00000001,00000005), ref: 00FE24A2
                                        • lua_createtable.XLLUARUNTIME(?,00000000,00000001), ref: 00FE24B2
                                        • lua_pushvalue.XLLUARUNTIME(?,000000FF,?,00000000,00000001), ref: 00FE24BA
                                        • lua_setmetatable.XLLUARUNTIME(?,00000001,?,000000FF,?,00000000,00000001), ref: 00FE24C2
                                        • lua_pushvalue.XLLUARUNTIME(?,FFFFD8EE), ref: 00FE24D0
                                        • lua_setfield.XLLUARUNTIME(?,000000FE,__index,?,FFFFD8EE), ref: 00FE24DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_pushvaluelua_typelua_typename$L_argerrorL_checktypelua_createtablelua_getmetatablelua_setfieldlua_setmetatable
                                        • String ID: __index
                                        • API String ID: 3333155683-4084755486
                                        • Opcode ID: 29021efa779cf4af7dc2e706a27a6c7c4199578672d558fbc86c8d85c489e4d3
                                        • Instruction ID: 57f424ed419b123a735cdac8e80da714c65a72d6bc71eaa2bcfe4b4453b6b7b8
                                        • Opcode Fuzzy Hash: 29021efa779cf4af7dc2e706a27a6c7c4199578672d558fbc86c8d85c489e4d3
                                        • Instruction Fuzzy Hash: 69E0E561A5AE3431E81272381C43FDF304B1F52B26F9D0252F615B52D3FA8E568624FA
                                        Function 00FCC1C0 Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,E3DC3B0A), ref: 00FCC1F5
                                        • ?compare@?$char_traits@D@std@@SAHPBD0I@Z.MSVCP90(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,00FD2B8A), ref: 00FCC24D
                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000FF,00FD2B8A,?), ref: 00FCC27E
                                        • lua_pushnil.XLLUARUNTIME(00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF,00FD2B8A,?), ref: 00FCC2A3
                                        • lua_setfield.XLLUARUNTIME(00000000,FFFFD8EE,?,00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00FCC2AF
                                        • lua_pushnil.XLLUARUNTIME(00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF,00FD2B8A,?), ref: 00FCC2CC
                                        • lua_setfield.XLLUARUNTIME(00000000,FFFFD8EE,?,00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00FCC2DC
                                        • memmove_s.MSVCR90 ref: 00FCC338
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00FCC350
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leavelua_pushnillua_setfield$?compare@?$char_traits@D@std@@Entermemmove_s
                                        • String ID:
                                        • API String ID: 1931814450-0
                                        • Opcode ID: 098288f328b911da4922b2f65c1bb6335942d7f137c3e908de5f95080b2e0313
                                        • Instruction ID: 454c7eb6bb77a87c14e4b528b59103a2848374e5a52fb21a73ac3550f685c91b
                                        • Opcode Fuzzy Hash: 098288f328b911da4922b2f65c1bb6335942d7f137c3e908de5f95080b2e0313
                                        • Instruction Fuzzy Hash: C651EF729046029BDB20DF68DE82B6AB7E8FB45710F08091CE859D7301E735EC05EBE2
                                        Function 00FE0130 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 247COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: iscntrl
                                        • String ID: %s near '%s'$%s:%d: %s$char(%d)$nesting of [[...]] is deprecated$unfinished long comment$unfinished long string
                                        • API String ID: 23777793-1797284299
                                        • Opcode ID: 724600d2bf267b163d5c9cbb42a898d7cd6f3cf0e268ef195e72687783b161b4
                                        • Instruction ID: 8bdec089af51703b7b1855f4a57d7d537e28a3b12b98c289bd3d9332cd2c703d
                                        • Opcode Fuzzy Hash: 724600d2bf267b163d5c9cbb42a898d7cd6f3cf0e268ef195e72687783b161b4
                                        • Instruction Fuzzy Hash: 4D91E6B19002409FCB04EF55CCD1E2677A9AF85304F4885A9F9068F356DBB9EC85EB92
                                        Function 00EB17A0 Relevance: 12.3, APIs: 3, Strings: 5, Instructions: 340stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,eexec,00000005), ref: 00EB183A
                                        • strncmp.MSVCR90(?,closefile,00000009), ref: 00EB18A4
                                        • strncmp.MSVCR90(?,FontDirectory,0000000D), ref: 00EB190E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID: 8W$CharStrings$FontDirectory$closefile$eexec
                                        • API String ID: 1114863663-795481199
                                        • Opcode ID: 07497bc5f6bd2c50482e4646209027bb8c18e6a9f596c23a1e8ad76687614844
                                        • Instruction ID: 9d842a5c4713507be0777dc67f102c319606d76e819c60481a90203af46dc918
                                        • Opcode Fuzzy Hash: 07497bc5f6bd2c50482e4646209027bb8c18e6a9f596c23a1e8ad76687614844
                                        • Instruction Fuzzy Hash: 8EB1F63424524A4BCB388A1C94747F7B792BB96368FD864DEE8C5B7214E320EC87C646
                                        Function 00FD8070 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_gettop.XLLUARUNTIME(?), ref: 00FD8077
                                        • lua_type.XLLUARUNTIME(?,00000001,?), ref: 00FD8081
                                        • lua_tolstring.XLLUARUNTIME(?,00000001,00000000), ref: 00FD8093
                                        • lua_pushinteger.XLLUARUNTIME(?,00000000), ref: 00FD80A3
                                        • luaL_checkinteger.XLLUARUNTIME(?,00000001), ref: 00FD80B7
                                        • luaL_argerror.XLLUARUNTIME(?,00000001,index out of range), ref: 00FD80DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_checkintegerlua_gettoplua_pushintegerlua_tolstringlua_type
                                        • String ID: index out of range
                                        • API String ID: 443603861-2815927717
                                        • Opcode ID: a79632594b5fd1de562d5edb1118f38439d7d3f13e22ef9cfc7162b150e5751c
                                        • Instruction ID: 1cfcdaae1b184968b04b188c0209bc094fd16f7d5c1766c5934df360cce77281
                                        • Opcode Fuzzy Hash: a79632594b5fd1de562d5edb1118f38439d7d3f13e22ef9cfc7162b150e5751c
                                        • Instruction Fuzzy Hash: F2F0A976E5051026DA3135546CC6B7E624B8BA1FA6F1D0137FE04A7382D5CB5D863193
                                        Function 00FD7190 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_tonumber.XLLUARUNTIME(?,?), ref: 00FD719F
                                        • lua_isnumber.XLLUARUNTIME(?,?), ref: 00FD71BA
                                        • lua_typename.XLLUARUNTIME(?,00000003), ref: 00FD71CA
                                        • lua_type.XLLUARUNTIME(?,?,?,00000003), ref: 00FD71D3
                                        • lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000003), ref: 00FD71DA
                                        • luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000003), ref: 00FD71EF
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_typename$L_argerrorL_errorlua_getstacklua_isnumberlua_tonumberlua_type
                                        • String ID: %s expected, got %s
                                        • API String ID: 2001163409-156976391
                                        • Opcode ID: 70eac9a213c6d5b45101ef93baf1ce20b7a34184b34414d6adad46da9c1ce374
                                        • Instruction ID: 4d24e87f817c01597f66471629eeac6fbdf730a4d2d3443f6a05085a6a89b8f4
                                        • Opcode Fuzzy Hash: 70eac9a213c6d5b45101ef93baf1ce20b7a34184b34414d6adad46da9c1ce374
                                        • Instruction Fuzzy Hash: 90F0F652801A5136950136209C07FEF366E9EC3B57F48001AF94461202E71C561961FB
                                        Function 00FE7080 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checktype.XLLUARUNTIME(?,00000001,00000006), ref: 00FE70A1
                                          • Part of subcall function 00FD7050: lua_type.XLLUARUNTIME(?,?), ref: 00FD705C
                                          • Part of subcall function 00FD7050: lua_typename.XLLUARUNTIME(?,?), ref: 00FD706F
                                          • Part of subcall function 00FD7050: lua_type.XLLUARUNTIME(?,?,?,?), ref: 00FD7078
                                          • Part of subcall function 00FD7050: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,?), ref: 00FD707F
                                          • Part of subcall function 00FD7050: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,?), ref: 00FD7094
                                        • lua_settop.XLLUARUNTIME(?,00000001,?,00000001,00000006), ref: 00FE70A9
                                        • luaL_buffinit.XLLUARUNTIME(?,?,?,00000001,?,00000001,00000006), ref: 00FE70B4
                                        • lua_dump.XLLUARUNTIME(?,Function_00027060,?,?,?,?,00000001,?,00000001,00000006), ref: 00FE70C4
                                        • luaL_error.XLLUARUNTIME(?,unable to dump given function), ref: 00FE70D6
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        • luaL_pushresult.XLLUARUNTIME(?), ref: 00FE70E3
                                        Strings
                                        • unable to dump given function, xrefs: 00FE70D0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_typelua_typename$L_argerrorL_buffinitL_checktypeL_errorL_pushresultL_wherelua_concatlua_dumplua_errorlua_pushvfstringlua_settop
                                        • String ID: unable to dump given function
                                        • API String ID: 739528140-4187293423
                                        • Opcode ID: 1ca259e960092c335f78579c5c469ecac29efbc4d02b20b26cda0727463c4038
                                        • Instruction ID: fe1465068690dcf7f06b328a23d67d0ac238446e79caaf807325fb5448c7618e
                                        • Opcode Fuzzy Hash: 1ca259e960092c335f78579c5c469ecac29efbc4d02b20b26cda0727463c4038
                                        • Instruction Fuzzy Hash: 90F0F67195431427E620FB24DC87FEF339A9F58700F484819F548A62C2EBBCA645A7E3
                                        Function 00FCF170 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_newuserdata.XLLUARUNTIME(?,00000008,00000000,00FCFEC2,00000000,000000FF,7FFFFFFF,00000000,Xunlei.LuaRuntime.Int64,00FF1960,?,?,00FD0161,?), ref: 00FCF178
                                        • lua_getfield.XLLUARUNTIME(?,FFFFD8F0,_LOADED,?,00000008,00000000,00FCFEC2,00000000,000000FF,7FFFFFFF,00000000,Xunlei.LuaRuntime.Int64,00FF1960,?,?,00FD0161), ref: 00FCF195
                                        • lua_getfield.XLLUARUNTIME(?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,?,00000008,00000000,00FCFEC2,00000000,000000FF,7FFFFFFF,00000000,Xunlei.LuaRuntime.Int64,00FF1960), ref: 00FCF1A2
                                        • lua_setmetatable.XLLUARUNTIME(?,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,?,00000008,00000000,00FCFEC2,00000000,000000FF,7FFFFFFF,00000000), ref: 00FCF1AA
                                        • lua_settop.XLLUARUNTIME(?,000000FE,?,000000FD,?,000000FF,Xunlei.LuaRuntime.Int64,?,FFFFD8F0,_LOADED,?,00000008,00000000,00FCFEC2,00000000,000000FF), ref: 00FCF1B2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_getfield$lua_newuserdatalua_setmetatablelua_settop
                                        • String ID: Xunlei.LuaRuntime.Int64$_LOADED
                                        • API String ID: 3093328914-3892714049
                                        • Opcode ID: 7c852f83da0f6bca2ee6dfd31ed4927790a56b2ed98609d15f0b34b074553dd8
                                        • Instruction ID: aeeb26b415d31a483abb5ec416c04db46a20a4ef21001b5630ea9a93d37d3298
                                        • Opcode Fuzzy Hash: 7c852f83da0f6bca2ee6dfd31ed4927790a56b2ed98609d15f0b34b074553dd8
                                        • Instruction Fuzzy Hash: 12E0927514EB25B68600AB149C02EAE36A65F46B31F144706F020373E1CA2CA50267EB
                                        Function 00E527C0 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90 ref: 00E52830
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?,?,?,?,?,?,?,?,?,?), ref: 00E528BE
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(00ED3484,?,?,?,?,?,?,?,?,?,?,?), ref: 00E528C9
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52929
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E529A2
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(00ED3484), ref: 00E529AD
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52A09
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E52A5E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: W@std@@$?assign@?$char_traits@_$?length@?$char_traits@_
                                        • String ID:
                                        • API String ID: 2115636358-0
                                        • Opcode ID: be369b2754b736357215771302414dbcf1e137129c5bb3785b1c26e57503ec5c
                                        • Instruction ID: 2cc506e19b83fdf1f58f7f777b5ee25bda1a6fb54cdfe678ddd4e8de31d8a2fd
                                        • Opcode Fuzzy Hash: be369b2754b736357215771302414dbcf1e137129c5bb3785b1c26e57503ec5c
                                        • Instruction Fuzzy Hash: 988135B14083418FC310DF65D880A6BBBF4FB89705F444A2EF6A9A7251D735EA09CB93
                                        Function 00E8CA20 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 198COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: sprintf
                                        • String ID: %hd$COMMENT$ENDPROPERTIES$FONT_ASCENT$FONT_DESCENT$_XFREE86_GLYPH_RANGES
                                        • API String ID: 590974362-1053162884
                                        • Opcode ID: 98235547a0c47647f9879f1d0c45907123c0208a1fd4c3abcfdf78d9beae4e28
                                        • Instruction ID: 8e43c1d050fbab33e5293ea3951be502340592f4307323560db95a120b608c00
                                        • Opcode Fuzzy Hash: 98235547a0c47647f9879f1d0c45907123c0208a1fd4c3abcfdf78d9beae4e28
                                        • Instruction Fuzzy Hash: 5961F1767007055BD320EB14C881E6BB3E4FB99704F18952AE88DAB741E775FC0687A1
                                        Function 00FD7400 Relevance: 12.1, APIs: 8, Instructions: 112stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strstr.MSVCR90 ref: 00FD7463
                                        • luaL_addlstring.XLLUARUNTIME(?,?,00000000), ref: 00FD747D
                                        • luaL_addlstring.XLLUARUNTIME(?,?,?), ref: 00FD74A0
                                        • strstr.MSVCR90 ref: 00FD74AE
                                        • luaL_addlstring.XLLUARUNTIME(?,?,?), ref: 00FD74D2
                                        • lua_pushlstring.XLLUARUNTIME(?,?,?), ref: 00FD74F4
                                        • lua_concat.XLLUARUNTIME(?,?), ref: 00FD7512
                                        • lua_tolstring.XLLUARUNTIME(?,000000FF,00000000,?,?), ref: 00FD7524
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_addlstring$strstr$lua_concatlua_pushlstringlua_tolstring
                                        • String ID:
                                        • API String ID: 519468106-0
                                        • Opcode ID: 858356ca423c571805d509fa02606c4b31d7f79fed3650ca818a45538804bd0a
                                        • Instruction ID: 2f0e6919a1c0427311b3fffb138b0cebceec7fe65110704bc4960bdc9dbcc9c5
                                        • Opcode Fuzzy Hash: 858356ca423c571805d509fa02606c4b31d7f79fed3650ca818a45538804bd0a
                                        • Instruction Fuzzy Hash: 0041A4719083559FC311DF18D844AABB7E9AFC9714F084A5DF88897311D774EA08DBE2
                                        Function 00E7ED40 Relevance: 12.1, APIs: 8, Instructions: 111COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: wcsncpy$memsetwcsstr
                                        • String ID:
                                        • API String ID: 825764456-0
                                        • Opcode ID: cc8295bd92835fe7fcc6367a3295abcad6e8e7b736bfa102165062763f4a9281
                                        • Instruction ID: 24012a174e3271fd9466bf99709605b9f4750fe5d501e3daa7b2744aba849698
                                        • Opcode Fuzzy Hash: cc8295bd92835fe7fcc6367a3295abcad6e8e7b736bfa102165062763f4a9281
                                        • Instruction Fuzzy Hash: F831E3726043046BD724DB34DC81AEFB7E4EFC8314F05891EE54DA7250EA34A609C793
                                        Function 00E7FE40 Relevance: 12.1, APIs: 8, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFontW.GDI32(0000000C,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000007,00000000,00000000,00000000,?), ref: 00E7FE6D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: CreateFont
                                        • String ID:
                                        • API String ID: 1830492434-0
                                        • Opcode ID: e7cb836408a79e8f454cb32bce1734024e4d4491a7b981968772ed504f97aa1a
                                        • Instruction ID: 6dee1d97a464277bf7d17ea0ef963da8589a19b45257b4dbb4a3c4ad03ac065c
                                        • Opcode Fuzzy Hash: e7cb836408a79e8f454cb32bce1734024e4d4491a7b981968772ed504f97aa1a
                                        • Instruction Fuzzy Hash: 7D31D6752843007EE320CB349C42F7BB7E89B92F14F10961DF655BA1D2DAB0F846866A
                                        Function 00EB0C00 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 326stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,StandardEncoding,00000010), ref: 00EB0C69
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID: .notdef$ExpertEncoding$ISOLatin1Encoding$StandardEncoding
                                        • API String ID: 1114863663-1497679585
                                        • Opcode ID: daa9d41a768aeddccab73a74914009021be89f29953c017c26b5249fbe2e76fd
                                        • Instruction ID: 44eb061023b6d8015bc9b4d02c9866e3e9db2fe103c63a4acb28632fb76a94cf
                                        • Opcode Fuzzy Hash: daa9d41a768aeddccab73a74914009021be89f29953c017c26b5249fbe2e76fd
                                        • Instruction Fuzzy Hash: 9DB1B2703043058FD730CF18D884BFBB7E5EF88318F545A6AE989A6241D335F94A8B96
                                        Function 00EA2F80 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 300stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,StandardEncoding,00000010), ref: 00EA2FE9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID: .notdef$ExpertEncoding$ISOLatin1Encoding$StandardEncoding
                                        • API String ID: 1114863663-1497679585
                                        • Opcode ID: c38f0a0146fab17fe850abce6e2be2cdc90bd1bcde5ee8123a6c8f96effac1a6
                                        • Instruction ID: 67682e4e24627e2780c61ac4259ddab87fd557a31453b4887f45c9569feb6324
                                        • Opcode Fuzzy Hash: c38f0a0146fab17fe850abce6e2be2cdc90bd1bcde5ee8123a6c8f96effac1a6
                                        • Instruction Fuzzy Hash: BDA129706043019FD720CF28D884BAAF7E5FF89318F54496EF9899B201E375FA198B91
                                        Function 00EA3A30 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 158stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,FontDirectory,0000000D), ref: 00EA3A7F
                                        • strncmp.MSVCR90(?,known,00000005), ref: 00EA3AB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID: /$8W$F$FontDirectory$known
                                        • API String ID: 1114863663-2944846225
                                        • Opcode ID: 4f64edb0ff0803e0ea2a46f8401f9571a7de8168c7bf3dfaffd9372013ddeee9
                                        • Instruction ID: df5ad67a7216ce82e573e0f6b4b445ed99e396e7116b558832b35439252575c2
                                        • Opcode Fuzzy Hash: 4f64edb0ff0803e0ea2a46f8401f9571a7de8168c7bf3dfaffd9372013ddeee9
                                        • Instruction Fuzzy Hash: FE51C8706042049BCF209F34D8C566ABB96EF5E314F196499FC4BAF206E331FE148B62
                                        Function 00E804E0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00E804E6
                                        • SelectObject.GDI32(00000000,?), ref: 00E804F4
                                        • GetOutlineTextMetricsW.GDI32(00000000,00000000,00000000,?,00E80645,00000000,00000058), ref: 00E80507
                                        • memset.MSVCR90 ref: 00E80527
                                        • GetOutlineTextMetricsW.GDI32(00000000,00000000,00000000,?,?,?,?), ref: 00E80538
                                        • SelectObject.GDI32(00000000,?), ref: 00E80578
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00E80581
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: MetricsObjectOutlineSelectText$Releasememset
                                        • String ID:
                                        • API String ID: 3503544693-0
                                        • Opcode ID: b59b6fabfdbc940b094f51441a4de0caef5d3bb615335dcb5a3d066fb94fad51
                                        • Instruction ID: 58c535533057b277cddf7bcc94ec6f2fb1b0b6c9e4e731b4eebcde477d44dbf9
                                        • Opcode Fuzzy Hash: b59b6fabfdbc940b094f51441a4de0caef5d3bb615335dcb5a3d066fb94fad51
                                        • Instruction Fuzzy Hash: 9C214C75902600AFD324DF65EC48F17BBE8EB89710F05811EF949A7361D770E9098BB2
                                        Function 00FD70D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_tolstring.XLLUARUNTIME(?,?,?), ref: 00FD70E2
                                        • lua_typename.XLLUARUNTIME(?,00000004), ref: 00FD70F4
                                        • lua_type.XLLUARUNTIME(?,?,?,00000004), ref: 00FD70FD
                                        • lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000004), ref: 00FD7104
                                        • luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000004), ref: 00FD7119
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_typename$L_argerrorL_errorlua_getstacklua_tolstringlua_type
                                        • String ID: %s expected, got %s
                                        • API String ID: 3803413682-156976391
                                        • Opcode ID: ade03d553e2f0ae5c256f0c87b28fe7ac1ed04c8f4f957c3a446d7a5ae1e984d
                                        • Instruction ID: ace3100483148929a41b26436f342c5c37aea8d03cfc1d985a0b06f894205633
                                        • Opcode Fuzzy Hash: ade03d553e2f0ae5c256f0c87b28fe7ac1ed04c8f4f957c3a446d7a5ae1e984d
                                        • Instruction Fuzzy Hash: A6F06CA16066543BD10176959C42EBF739DCEC7B2AF480027FE00E2302D65DAD0552FA
                                        Function 00FD85B0 Relevance: 10.5, APIs: 7, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_tothread.XLLUARUNTIME(?,FFFFD8ED), ref: 00FD85BC
                                        • lua_gettop.XLLUARUNTIME(?,?,FFFFD8ED), ref: 00FD85C4
                                          • Part of subcall function 00FD8470: lua_checkstack.XLLUARUNTIME ref: 00FD8481
                                          • Part of subcall function 00FD8470: luaL_error.XLLUARUNTIME(?,too many arguments to resume), ref: 00FD8493
                                        • lua_isstring.XLLUARUNTIME(?,000000FF), ref: 00FD85DC
                                        • luaL_where.XLLUARUNTIME(?,00000001), ref: 00FD85EB
                                          • Part of subcall function 00FD6520: lua_getstack.XLLUARUNTIME(?,?,?,?), ref: 00FD653E
                                          • Part of subcall function 00FD6520: lua_getinfo.XLLUARUNTIME(?,00FF1C64,?,?,?,?), ref: 00FD6555
                                        • lua_insert.XLLUARUNTIME(?,000000FE,?,00000001), ref: 00FD85F3
                                        • lua_concat.XLLUARUNTIME(?,00000002,?,000000FE,?,00000001), ref: 00FD85FB
                                        • lua_error.XLLUARUNTIME(?), ref: 00FD8604
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_errorL_wherelua_checkstacklua_concatlua_errorlua_getinfolua_getstacklua_gettoplua_insertlua_isstringlua_tothread
                                        • String ID:
                                        • API String ID: 1096481142-0
                                        • Opcode ID: a7afeb3cc668cc822a2e873ac8bf6adb43a25581fdc7b86292aecd30b1918039
                                        • Instruction ID: 6cae3f45fb495163758ac482dec9dec692af92b2482fdb219986a30d7d7d6b76
                                        • Opcode Fuzzy Hash: a7afeb3cc668cc822a2e873ac8bf6adb43a25581fdc7b86292aecd30b1918039
                                        • Instruction Fuzzy Hash: BAF01256A0452122C91232242C42F2F715B0BD2FB6B5D032AF814A63D3ED5D990271EA
                                        Function 00FD7050 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_type.XLLUARUNTIME(?,?), ref: 00FD705C
                                        • lua_typename.XLLUARUNTIME(?,?), ref: 00FD706F
                                        • lua_type.XLLUARUNTIME(?,?,?,?), ref: 00FD7078
                                        • lua_typename.XLLUARUNTIME(?,00000000,?,?,?,?), ref: 00FD707F
                                        • luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,?), ref: 00FD7094
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_typelua_typename$L_argerrorL_errorlua_getstack
                                        • String ID: %s expected, got %s
                                        • API String ID: 2725611123-156976391
                                        • Opcode ID: 89f55e1efb0f292d072b86e56e214db0344439c4e9db54ff5013a45c13a5e54d
                                        • Instruction ID: 48e11da923dbc28445524a5c9b634f2052a3c27508771381bc2584a9a1c3d497
                                        • Opcode Fuzzy Hash: 89f55e1efb0f292d072b86e56e214db0344439c4e9db54ff5013a45c13a5e54d
                                        • Instruction Fuzzy Hash: EFE092A1506A613A551173649C46CBF736EDDC6B16B4C041BF500E2302D6586D0A61FA
                                        Function 00FD8140 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkany.XLLUARUNTIME(?,00000002), ref: 00FD8148
                                          • Part of subcall function 00FD70A0: lua_type.XLLUARUNTIME(?,?), ref: 00FD70AC
                                          • Part of subcall function 00FD70A0: luaL_argerror.XLLUARUNTIME(?,?,value expected), ref: 00FD70C0
                                        • lua_settop.XLLUARUNTIME(?,00000002,?,00000002), ref: 00FD8150
                                        • lua_insert.XLLUARUNTIME(?,00000001,?,00000002,?,00000002), ref: 00FD8158
                                        • lua_pcall.XLLUARUNTIME(?,00000000,000000FF,00000001,?,00000001,?,00000002,?,00000002), ref: 00FD8164
                                        • lua_pushboolean.XLLUARUNTIME(?,00000000,?,00000000,000000FF,00000001,?,00000001,?,00000002,?,00000002), ref: 00FD8172
                                        • lua_replace.XLLUARUNTIME(?,00000001,?,00000000,?,00000000,000000FF,00000001,?,00000001,?,00000002,?,00000002), ref: 00FD817A
                                        • lua_gettop.XLLUARUNTIME(?,?,00000001,?,00000000,?,00000000,000000FF,00000001,?,00000001,?,00000002,?,00000002), ref: 00FD8180
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_checkanylua_gettoplua_insertlua_pcalllua_pushbooleanlua_replacelua_settoplua_type
                                        • String ID:
                                        • API String ID: 3357644997-0
                                        • Opcode ID: 2d50b3d31366ea16ac47d3bb0e4e97ac318be82e6b395634163105fc41e944a4
                                        • Instruction ID: 95f31d3fd02f0f0ebf258798ecfdbd23fee4f50342dde7477efca504e5c25a92
                                        • Opcode Fuzzy Hash: 2d50b3d31366ea16ac47d3bb0e4e97ac318be82e6b395634163105fc41e944a4
                                        • Instruction Fuzzy Hash: E2E0B675257E2231E92232245C5BFCF210A0F03F22F9C8107B6107A2D2EACD264221EF
                                        Function 00FDA1C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_type.XLLUARUNTIME(?,00000002), ref: 00FDA1C8
                                        • luaL_argerror.XLLUARUNTIME(?,00000002,nil or table expected), ref: 00FDA1E1
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        • lua_settop.XLLUARUNTIME(?,00000002), ref: 00FDA1EC
                                        • lua_setmetatable.XLLUARUNTIME(?,00000001,?,00000002), ref: 00FDA1F4
                                        • lua_pushboolean.XLLUARUNTIME(?,00000000,?,00000001,?,00000002), ref: 00FDA1FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_errorlua_getstacklua_pushbooleanlua_setmetatablelua_settoplua_type
                                        • String ID: nil or table expected
                                        • API String ID: 3702188742-2873205112
                                        • Opcode ID: 69a2f6b9cc95338aa7e5c748d61547c95cebd6efdd9f7d6e1fe27d88532bc9f3
                                        • Instruction ID: ad78a52d99179c90124dff25f93081d87efce8a2bfb15727c81d163c99b34bb0
                                        • Opcode Fuzzy Hash: 69a2f6b9cc95338aa7e5c748d61547c95cebd6efdd9f7d6e1fe27d88532bc9f3
                                        • Instruction Fuzzy Hash: 25E0EC6AE41A2032E52132146C47FDE320B4F02B16FCC4057FA04B63C3EA8E9B4265EF
                                        Function 00E68060 Relevance: 9.3, APIs: 6, Instructions: 278COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: IcosIsin
                                        • String ID:
                                        • API String ID: 14690888-0
                                        • Opcode ID: 57b35d67ccefffeff2ca3460dd4490ecf96a56d458fcfa3ae231c8eb7c069730
                                        • Instruction ID: c8e48e30b158213f3523a23d3cd5c7869da912fa9bfa6823bc22dbff7d9418f9
                                        • Opcode Fuzzy Hash: 57b35d67ccefffeff2ca3460dd4490ecf96a56d458fcfa3ae231c8eb7c069730
                                        • Instruction Fuzzy Hash: FCB14FB2E04B05A7C3567E40E155186BBB4FB857D0F621E88D4C5A127AFF3289788BC6
                                        Function 00E7A200 Relevance: 9.2, APIs: 6, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                        • IntersectRect.USER32(?,?,?), ref: 00E7A222
                                        • OffsetRect.USER32(?,?,?), ref: 00E7A2B6
                                        • OffsetRect.USER32(?,?,?), ref: 00E7A31B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Rect$Offset$Intersect
                                        • String ID:
                                        • API String ID: 407234963-0
                                        • Opcode ID: 1476b6c292d88ba2ee969437cf0047d73e39eb59321b92dddea5be4ed45b9c57
                                        • Instruction ID: 2d0d0d9b6fe358787829e7d369613ad62a607d74dbb412f3cd74d5c3d33781a3
                                        • Opcode Fuzzy Hash: 1476b6c292d88ba2ee969437cf0047d73e39eb59321b92dddea5be4ed45b9c57
                                        • Instruction Fuzzy Hash: 71A16EB56087019FC304CF99D98086BFBE9EFC8704F548A2EF59993314E771EA058B96
                                        Function 00FD65E0 Relevance: 9.0, APIs: 6, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_getfield.XLLUARUNTIME(00000000,FFFFD8F0,?,?,00000000,00FC3332,00000000,?,00000000,00000000,00000000,00FD2F36,?,?,00000000,00000000), ref: 00FD65F1
                                        • lua_type.XLLUARUNTIME(00000000,000000FF,00000000,FFFFD8F0,?,?,00000000,00FC3332,00000000,?,00000000,00000000,00000000,00FD2F36,?,?), ref: 00FD65F9
                                        • lua_settop.XLLUARUNTIME(00000000,000000FE,?,?,00000000,00000000), ref: 00FD660D
                                        • lua_createtable.XLLUARUNTIME(00000000,00000000,00000000,00000000,000000FE,?,?,00000000,00000000), ref: 00FD6617
                                        • lua_pushvalue.XLLUARUNTIME(00000000,000000FF,00000000,00000000,00000000,00000000,000000FE,?,?,00000000,00000000), ref: 00FD661F
                                        • lua_setfield.XLLUARUNTIME(00000000,FFFFD8F0,?,00000000,000000FF,00000000,00000000,00000000,00000000,000000FE,?,?,00000000,00000000), ref: 00FD662B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_createtablelua_getfieldlua_pushvaluelua_setfieldlua_settoplua_type
                                        • String ID:
                                        • API String ID: 891371016-0
                                        • Opcode ID: e9aa32e51c29dd1baaa8f54fdf8f989d4b2586e382c5c63226e2c4f16e0bd076
                                        • Instruction ID: 9807e3a7dc6bcf67d6942b8bf35009c486b764c6dc15bcea0ea32f22ec2c79a1
                                        • Opcode Fuzzy Hash: e9aa32e51c29dd1baaa8f54fdf8f989d4b2586e382c5c63226e2c4f16e0bd076
                                        • Instruction Fuzzy Hash: 97E0393250DA3235DA11712D6C02F8F725E5F83B32FA80327F420A63D29A48A58261EE
                                        Function 00FD80F0 Relevance: 9.0, APIs: 6, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkany.XLLUARUNTIME(?,00000001), ref: 00FD80F8
                                          • Part of subcall function 00FD70A0: lua_type.XLLUARUNTIME(?,?), ref: 00FD70AC
                                          • Part of subcall function 00FD70A0: luaL_argerror.XLLUARUNTIME(?,?,value expected), ref: 00FD70C0
                                        • lua_gettop.XLLUARUNTIME(?,000000FF,00000000), ref: 00FD8105
                                        • lua_pcall.XLLUARUNTIME(?,-00000001,00000000), ref: 00FD8110
                                        • lua_pushboolean.XLLUARUNTIME(?,00000000,?,-00000001,00000000), ref: 00FD811E
                                        • lua_insert.XLLUARUNTIME(?,00000001,?,00000000,?,-00000001,00000000), ref: 00FD8126
                                        • lua_gettop.XLLUARUNTIME(?,?,00000001,?,00000000,?,-00000001,00000000), ref: 00FD812C
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_gettop$L_argerrorL_checkanylua_insertlua_pcalllua_pushbooleanlua_type
                                        • String ID:
                                        • API String ID: 1826909310-0
                                        • Opcode ID: 0a7dae82f6358bf8d689852638305d09878078cec31e0550d8a5adc2b2b93a71
                                        • Instruction ID: f13fd1f5fb8af92b7db76c29bcc7e0769037b97c9ff90d1071fcb8fb53025e45
                                        • Opcode Fuzzy Hash: 0a7dae82f6358bf8d689852638305d09878078cec31e0550d8a5adc2b2b93a71
                                        • Instruction Fuzzy Hash: 11E08CA6917E2231E50132302C57FDF300E8F12B22F8C4113F811653C2FA8D6B9210EB
                                        Function 00E7FBE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCR90 ref: 00E7FC3D
                                        • _DebugHeapAllocator.LIBCPMTD ref: 00E7FC4A
                                        • _itow.MSVCR90 ref: 00E7FC7A
                                          • Part of subcall function 00ECFF90: GetPrivateProfileStringW.KERNEL32(?,00E7F4EE,?,?,00000000,00000000), ref: 00ECFFB4
                                        • _itow.MSVCR90 ref: 00E7FCC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _itow$AllocatorDebugHeapPrivateProfileStringmemset
                                        • String ID: FontRenderSetting
                                        • API String ID: 2101332600-3994362974
                                        • Opcode ID: c500a685d15b6a1ba51918108fa253b8795a13522b339b056d708004c9894b76
                                        • Instruction ID: 00fafe4d313793b4fc395f4a32cc4076e4875befb7c4856c2ebcaefd80af9452
                                        • Opcode Fuzzy Hash: c500a685d15b6a1ba51918108fa253b8795a13522b339b056d708004c9894b76
                                        • Instruction Fuzzy Hash: 2731A572214341AFC324DB14CD51FABB3E8EFC8714F445A2DF849A7281D771AA09C792
                                        Function 00E7F450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _DebugHeapAllocator.LIBCPMTD ref: 00E7F4AA
                                        • _itow.MSVCR90 ref: 00E7F4DA
                                          • Part of subcall function 00ECFF90: GetPrivateProfileStringW.KERNEL32(?,00E7F4EE,?,?,00000000,00000000), ref: 00ECFFB4
                                        • _itow.MSVCR90 ref: 00E7F528
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _itow$AllocatorDebugHeapPrivateProfileString
                                        • String ID: 1, SIMSUN, 1, 12, Tahoma$CharFontSetting
                                        • API String ID: 629645009-281330025
                                        • Opcode ID: 66bbcea53cfcfeff961976e08ffc2a71abd9a7a1ae8413aa78be4d1a5cdae600
                                        • Instruction ID: 0b0fcf4b38a1bbcea05bb89cc5e4b34e04b0db93b4523e53a180bb6bc8c6a333
                                        • Opcode Fuzzy Hash: 66bbcea53cfcfeff961976e08ffc2a71abd9a7a1ae8413aa78be4d1a5cdae600
                                        • Instruction Fuzzy Hash: BF31C731214340ABC324DB24CD52FABB3E8EF88714F44562DF449A72D1E774AA05C792
                                        Function 00EC8750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: codecvt
                                        • String ID: Bh
                                        • API String ID: 3662085145-1857079555
                                        • Opcode ID: 08a4eb4988e7eeaf51d0881886b103a8a84e9ed7bee3f8ccad0bc6ca7ffb044c
                                        • Instruction ID: 8cae3e5792642dea4ed58ae42f5383527052be96a63d2469147e69a8ba1bf0fc
                                        • Opcode Fuzzy Hash: 08a4eb4988e7eeaf51d0881886b103a8a84e9ed7bee3f8ccad0bc6ca7ffb044c
                                        • Instruction Fuzzy Hash: 81314E74D00209DBDB08DF95D785BEEBBB1AB48304F205569D4117B291DB76AE82CFA0
                                        Function 00E66080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_CreateExp.MSVCR90(?,?,00E66109,?,?), ref: 00E6608C
                                          • Part of subcall function 00EC6480: Concurrency::details::_Condition_variable::_Condition_variable.LIBCMTD ref: 00EC649C
                                        • XL_SetExp.MSVCR90(00000000,a,?,?,?,00E66109,?,?), ref: 00E6609E
                                          • Part of subcall function 00EC6530: Concurrency::details::_Condition_variable::_Condition_variable.LIBCMTD ref: 00EC653F
                                          • Part of subcall function 00EC6530: _Immortalize.LIBCPMTD ref: 00EC6561
                                        • XL_GetExpValue.MSVCR90(00000000,00000000,a,?,?), ref: 00E660AF
                                        • XL_DeleteExp.MSVCR90(00000000,00000000,a,?,?,?,00E66109,?,?), ref: 00E660B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Concurrency::details::_Condition_variableCondition_variable::_$CreateDeleteImmortalizeValue
                                        • String ID: a
                                        • API String ID: 3843554737-1016852433
                                        • Opcode ID: db0a54b2ef4be2c3309d4772b1a9ed8ef3bb55870fbbd1e92e3b8156cf768581
                                        • Instruction ID: a28b9d38162fe1b5906e23ded75d534b7c59348fe34fd73be81f5ee5922c2f68
                                        • Opcode Fuzzy Hash: db0a54b2ef4be2c3309d4772b1a9ed8ef3bb55870fbbd1e92e3b8156cf768581
                                        • Instruction Fuzzy Hash: C4E06D311153115BD714AF25B900BABB3D8BF80365F04182EF850E2241E771884686E2
                                        Function 00FE3440 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_optlstring.XLLUARUNTIME(?,00000001,00000000,00000000), ref: 00FE344D
                                          • Part of subcall function 00FD7130: lua_type.XLLUARUNTIME(?,?), ref: 00FD713C
                                        • luaL_checkoption.XLLUARUNTIME(?,00000002,all,00FF3590,?,00000001,00000000,00000000), ref: 00FE3461
                                          • Part of subcall function 00FD7550: lua_type.XLLUARUNTIME(?,?), ref: 00FD7566
                                          • Part of subcall function 00FD7550: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,invalid option '%s',00000000), ref: 00FD75E5
                                        • setlocale.MSVCR90 ref: 00FE346F
                                        • lua_pushstring.XLLUARUNTIME(?,00000000), ref: 00FE3477
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_type$L_argerrorL_checkoptionL_optlstringlua_pushstringsetlocale
                                        • String ID: all
                                        • API String ID: 2374952761-991457757
                                        • Opcode ID: a71b175d0ee6404481904ae7ef212038f4a9360b0ab0a8f8f2440d00fd6d9e7b
                                        • Instruction ID: d6dd6c8e44d9d7c9eaff39ce13173a238304f4b1ef259170b1a11c015830be46
                                        • Opcode Fuzzy Hash: a71b175d0ee6404481904ae7ef212038f4a9360b0ab0a8f8f2440d00fd6d9e7b
                                        • Instruction Fuzzy Hash: DFE0CD31A5132972E62076A8BC0BFDB769D4FC5B00F0C0402B204EF2E1E5D8FA8192E9
                                        Function 00FDE590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _errno.MSVCR90 ref: 00FDE590
                                        • strerror.MSVCR90 ref: 00FDE599
                                        • lua_tolstring.XLLUARUNTIME(?,000000FF,00000000,?,%s: %s,?,00000000), ref: 00FDE5B5
                                        • luaL_argerror.XLLUARUNTIME(?,?,00000000,?,000000FF,00000000,?,%s: %s,?,00000000), ref: 00FDE5C1
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_error_errnolua_getstacklua_tolstringstrerror
                                        • String ID: %s: %s
                                        • API String ID: 2937447132-3740598653
                                        • Opcode ID: 34988afc908f6b762a84abbed09be6aae1c3c1ab2bd680ead03956eb3c4cb2b1
                                        • Instruction ID: 310a4616dfd4b53b2d23c853d58bd0d221fb4501433994c2351f4d19f717efac
                                        • Opcode Fuzzy Hash: 34988afc908f6b762a84abbed09be6aae1c3c1ab2bd680ead03956eb3c4cb2b1
                                        • Instruction Fuzzy Hash: D3E01274104510BFD101AB60DC46F7F335EAF89719F944204F62496391DA68A901A76A
                                        Function 00E6E0F0 Relevance: 7.8, APIs: 5, Instructions: 266windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_CloneBitmap.MSVCR90(?,61C1F77A,?,00000000,?,?,?,00ED19F6,000000FF,00E6E457,?,?,?,61C1F77A,?,?), ref: 00E6E20D
                                        • XL_StretchBitmap.MSVCR90(00000000,?,?,61C1F77A,?,00000000,?,?,?,00ED19F6,000000FF,00E6E457,?,?,?,61C1F77A), ref: 00E6E21B
                                        • XL_ReleaseBitmap.MSVCR90(?,00000000,?,?,?,00ED19F6,000000FF,00E6E457,?,?,?,61C1F77A,?,?), ref: 00E6E239
                                        • XL_SetTextureRect.MSVCR90 ref: 00E6E2F1
                                        • XL_DefaultGraphicHint.MSVCR90(?), ref: 00E6E37F
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Bitmap$CloneDefaultGraphicHintRectReleaseStretchTexture
                                        • String ID:
                                        • API String ID: 733161657-0
                                        • Opcode ID: b24d076021148fd306441f258d110b167920432f930fa58a7470e9a878f1b00c
                                        • Instruction ID: beeb3f5306776d62f786fb29886cb54aa4984efc001208ddeb2d75e0d8f44849
                                        • Opcode Fuzzy Hash: b24d076021148fd306441f258d110b167920432f930fa58a7470e9a878f1b00c
                                        • Instruction Fuzzy Hash: 7BA19FB5A447409FC720CF19E480A2BF7E5FBC8754F144A2EE48A93741E736E905CB92
                                        Function 00E55380 Relevance: 7.7, APIs: 5, Instructions: 239COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E53AD0: IntersectRect.USER32(?,?,?), ref: 00E53B05
                                        • memset.MSVCR90 ref: 00E5551A
                                        • XL_FillBlend.MSVCR90 ref: 00E5556B
                                        • XL_SetPenColor.MSVCR90(?,?), ref: 00E555F6
                                        • XL_DrawLine.MSVCR90(?,?,?,?,?,?,?), ref: 00E5562A
                                        • XL_DrawLine.MSVCR90(?,?,?,?,?,?,?), ref: 00E55658
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: DrawLine$BlendColorFillIntersectRectmemset
                                        • String ID:
                                        • API String ID: 4191478769-0
                                        • Opcode ID: 107d87d636174377aa52825a211b82867c60d525a175fef503ee3b636a63165b
                                        • Instruction ID: 75489bb97ad7c0329976bc4ccba6f009b48fefa31cda53cbfede1a2f86a7a4be
                                        • Opcode Fuzzy Hash: 107d87d636174377aa52825a211b82867c60d525a175fef503ee3b636a63165b
                                        • Instruction Fuzzy Hash: B29148B55087809FC324DF64C591B6BBBE5BFC8314F14895DE9899B342DB30E849CBA2
                                        Function 00E7E2B0 Relevance: 7.6, APIs: 5, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90 ref: 00E7E34E
                                        • ?length@?$char_traits@_W@std@@SAIPB_W@Z.MSVCP90(?), ref: 00E7E355
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?,?,00000000,75A8EB20,000001FC,00000000), ref: 00E7E388
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E7E3D7
                                        • ?assign@?$char_traits@_W@std@@SAXAA_WAB_W@Z.MSVCP90(?,?), ref: 00E7E422
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: W@std@@$?assign@?$char_traits@_$?length@?$char_traits@_
                                        • String ID:
                                        • API String ID: 2115636358-0
                                        • Opcode ID: 9fbfe950fbb58d3b21057ec63250c0bf081860965f44e9f5dc7199526d89bc9a
                                        • Instruction ID: 5a0ce3a125e006697fedba3d8b1dc9318f5f1ad270ef88c4f14b39463dc5c235
                                        • Opcode Fuzzy Hash: 9fbfe950fbb58d3b21057ec63250c0bf081860965f44e9f5dc7199526d89bc9a
                                        • Instruction Fuzzy Hash: 26416FB28083009FC310DF59D985A5BFBF8FB88754F445A2EF59AA3251D735E908CB92
                                        Function 00E65E40 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _itoa.MSVCR90 ref: 00E65E93
                                        • XL_SetRectExpLeft.MSVCR90(?,?,00000000,00ED3524,00ED3524,00ED3524,?,?,?,?,?), ref: 00E65EB4
                                        • XL_SetRectExpTop.MSVCR90(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00E65ECF
                                        • XL_SetRectExpWidth.MSVCR90(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E65EEA
                                        • XL_SetRectExpHeight.MSVCR90(?,00000000), ref: 00E65F05
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Rect$HeightLeftWidth_itoa
                                        • String ID:
                                        • API String ID: 457614765-0
                                        • Opcode ID: ebc180578b15c92273f9600caa6ef41225fc4fdf72312f081246e387abcac776
                                        • Instruction ID: 24dd9caa68540e7b66948cfb8d96d8dd70ce8737a0bfc42c64b9104c0d3b49c5
                                        • Opcode Fuzzy Hash: ebc180578b15c92273f9600caa6ef41225fc4fdf72312f081246e387abcac776
                                        • Instruction Fuzzy Hash: 2721A672704A009FC618EB39E89297BF3E8EF88350FC5980EF45BD7641DA35E9148792
                                        Function 00E89FA0 Relevance: 7.6, APIs: 5, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: fopen
                                        • String ID:
                                        • API String ID: 1432627528-0
                                        • Opcode ID: 0476487820cd5e18e92fa2135d73cbf1d4cdc9e4ffc8941c695df87242a1ef3f
                                        • Instruction ID: 4f6c947f3a01fdd603c106c9381963c497b7fdac71e8b3356978d06a448085b0
                                        • Opcode Fuzzy Hash: 0476487820cd5e18e92fa2135d73cbf1d4cdc9e4ffc8941c695df87242a1ef3f
                                        • Instruction Fuzzy Hash: D011A3716017085FD320AF6EFC8496BBBECEB84725B44442FF14ED6601C775A5498BA2
                                        Function 00E7C1F0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: EnumFamiliesFontReleasememsetwcsncpy
                                        • String ID:
                                        • API String ID: 2212730583-0
                                        • Opcode ID: 3deac4909b0893b217d0ad06ce7fe4b6c206fd28d7f3f7e504c1e0a8fce3527b
                                        • Instruction ID: f318c41199ac126ac6784d700cf03523900ffcba111fa28e2ac948834031396a
                                        • Opcode Fuzzy Hash: 3deac4909b0893b217d0ad06ce7fe4b6c206fd28d7f3f7e504c1e0a8fce3527b
                                        • Instruction Fuzzy Hash: 061119715093809FD350DF699805B9BBBE4BFC8704F44890EF69897291D77096088BA3
                                        Function 00E4FCC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ($(
                                        • API String ID: 0-222463766
                                        • Opcode ID: a979cc26b72ab127e7f2401fe6c2ab1c3ea7b029d7ec2da63041a5af29a0852c
                                        • Instruction ID: 82563811b1c48c8ec0c66894b90acf2484b4d8d9900f9d92af6ec27b3bae31a7
                                        • Opcode Fuzzy Hash: a979cc26b72ab127e7f2401fe6c2ab1c3ea7b029d7ec2da63041a5af29a0852c
                                        • Instruction Fuzzy Hash: BA6136B16083419FC718CF69D480A1BBBE5EFC8714F108A2EF999D7355E771E8048B66
                                        Function 00E79710 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemsetwcsncpy
                                        • String ID: defaultfont
                                        • API String ID: 4002316500-3013108229
                                        • Opcode ID: 76984e0cc36ad5d50246318a288184a081f08cd34c6fbc59988fa0180f239479
                                        • Instruction ID: b7bcf74cd2f95b2df28728a48664b906b626571d0b0ae4e7bb409784b6ecf081
                                        • Opcode Fuzzy Hash: 76984e0cc36ad5d50246318a288184a081f08cd34c6fbc59988fa0180f239479
                                        • Instruction Fuzzy Hash: B721D371A002085BDB24BF799C85AAF77DCEFD1318F14942BF91AB7213EB75C9048662
                                        Function 00ECDCA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(vector<T> too long,61C1F77A,?,?,?,?,?,?,00000000,00ED2639,000000FF,?,00ECD133,00000000,?,00ECCB6C), ref: 00ECDCCD
                                        • _CxxThrowException.MSVCR90(?,00EEAF50), ref: 00ECDCEF
                                        • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP90(?,00EEAF50,?,?,?,?,?,?,?,00000000,00ED2639,000000FF,?,00ECD133,00000000), ref: 00ECDCFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrow
                                        • String ID: vector<T> too long
                                        • API String ID: 2034288732-3788999226
                                        • Opcode ID: 24843003db6b3eaee2156e7bf33acc2474b7c4c46cac47aaabcc2827f62af675
                                        • Instruction ID: 11bb3aae817eb4ec12bd195c8fd6ab5e2a608e36816b1a45b15bfddfb7a1c434
                                        • Opcode Fuzzy Hash: 24843003db6b3eaee2156e7bf33acc2474b7c4c46cac47aaabcc2827f62af675
                                        • Instruction Fuzzy Hash: CCF03171955748EFC704EFA1DD41B9DB7B8FB04720F50422AE412772D4DB746A09CA41
                                        Function 00FDF010 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_rawgeti.XLLUARUNTIME(?,FFFFD8EF,00000001), ref: 00FDF01E
                                        • lua_touserdata.XLLUARUNTIME(?,000000FF,?,FFFFD8EF,00000001), ref: 00FDF026
                                        • luaL_error.XLLUARUNTIME(?,standard %s file is closed,00FF2878), ref: 00FDF040
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        Strings
                                        • standard %s file is closed, xrefs: 00FDF03A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_errorL_wherelua_concatlua_errorlua_pushvfstringlua_rawgetilua_touserdata
                                        • String ID: standard %s file is closed
                                        • API String ID: 707260198-758085179
                                        • Opcode ID: f9da067a46652d0dd79bc8e50a6bee110f9256d0574fe5f7a8550da06a2828d7
                                        • Instruction ID: 4b7de92c45eba9705adc537a23ed399b9ef7d2a90d9d131f2c4cf168476da088
                                        • Opcode Fuzzy Hash: f9da067a46652d0dd79bc8e50a6bee110f9256d0574fe5f7a8550da06a2828d7
                                        • Instruction Fuzzy Hash: D9E0263660042033C5027208BC02FAF335A4F82B30F1D0222F9146B3D3E659AA41B3E6
                                        Function 00FD8420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_tothread.XLLUARUNTIME(?,00000001), ref: 00FD8429
                                        • luaL_argerror.XLLUARUNTIME(?,00000001,coroutine expected), ref: 00FD843F
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        • lua_pushstring.XLLUARUNTIME(?,00000000,?), ref: 00FD8456
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_errorlua_getstacklua_pushstringlua_tothread
                                        • String ID: coroutine expected
                                        • API String ID: 1607481980-3001328647
                                        • Opcode ID: 4a4eabccecc58f8abd216e1f2fdeede1ebb18f8aeb8f3d8dfdb8761779a9b5ab
                                        • Instruction ID: 8aeb18114469e25ff211d3ab4ee100ed9490ec03cfdc4aee39e3fcad020c6736
                                        • Opcode Fuzzy Hash: 4a4eabccecc58f8abd216e1f2fdeede1ebb18f8aeb8f3d8dfdb8761779a9b5ab
                                        • Instruction Fuzzy Hash: 15E08C3294111427D62232587C82FBF776E4FD2F61F09001AF804AA392E6DE9883B1E2
                                        Function 00FDF060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checkudata.XLLUARUNTIME(?,00000001,FILE*), ref: 00FDF06E
                                          • Part of subcall function 00FD6FC0: lua_touserdata.XLLUARUNTIME(?,?), ref: 00FD6FCE
                                          • Part of subcall function 00FD6FC0: lua_getmetatable.XLLUARUNTIME(?,?), ref: 00FD6FE2
                                          • Part of subcall function 00FD6FC0: lua_getfield.XLLUARUNTIME(?,FFFFD8F0,?), ref: 00FD6FF5
                                          • Part of subcall function 00FD6FC0: lua_rawequal.XLLUARUNTIME(?,000000FF,000000FE,?,FFFFD8F0,?), ref: 00FD6FFF
                                          • Part of subcall function 00FD6FC0: lua_settop.XLLUARUNTIME(?,000000FD), ref: 00FD700E
                                        • luaL_error.XLLUARUNTIME(?,attempt to use a closed file), ref: 00FDF083
                                          • Part of subcall function 00FD65B0: luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD65B0: lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                          • Part of subcall function 00FD65B0: lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                          • Part of subcall function 00FD65B0: lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_checkudataL_errorL_wherelua_concatlua_errorlua_getfieldlua_getmetatablelua_pushvfstringlua_rawequallua_settoplua_touserdata
                                        • String ID: FILE*$attempt to use a closed file
                                        • API String ID: 3674837396-999929173
                                        • Opcode ID: 8662aae5c42d7bbfd17ebf2410282d7da5a9ab6e510d18c04dfd5ab43747d06a
                                        • Instruction ID: dfd867531b4d9de28c024e106a7787e5da650419ff803ae0fa4ce39433f8c9ab
                                        • Opcode Fuzzy Hash: 8662aae5c42d7bbfd17ebf2410282d7da5a9ab6e510d18c04dfd5ab43747d06a
                                        • Instruction Fuzzy Hash: 62D0C222A5021123C6203204BC03F9F77568F85724F0D0032F50867382F2E94596A2E3
                                        Function 00E74900 Relevance: 6.4, APIs: 4, Instructions: 386COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_DefaultGraphicHint.MSVCR90(?,?,?), ref: 00E74A50
                                        • XL_DefaultGraphicHint.MSVCR90(?,00000000), ref: 00E74B16
                                        • XL_DefaultGraphicHint.MSVCR90(?,?), ref: 00E74CE0
                                        • XL_DefaultGraphicHint.MSVCR90(?,?), ref: 00E74D44
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: DefaultGraphicHint
                                        • String ID:
                                        • API String ID: 196006533-0
                                        • Opcode ID: 21db2183ba64deafa3f4872dffa13fceb8784d455ad3b0395909607f195573fc
                                        • Instruction ID: b157e0ca48f6517160456a2a304fdd0619976f0777fc3eee609156eafa59d63a
                                        • Opcode Fuzzy Hash: 21db2183ba64deafa3f4872dffa13fceb8784d455ad3b0395909607f195573fc
                                        • Instruction Fuzzy Hash: 77E112B4A087019FC728DF69D48092BF7E5AFC8700F14992EFA9997361E771E841CB52
                                        Function 00E6F280 Relevance: 6.4, APIs: 4, Instructions: 377COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_DefaultGraphicHint.MSVCR90(?,?,?), ref: 00E6F3C6
                                        • XL_DefaultGraphicHint.MSVCR90(?,00000000), ref: 00E6F480
                                        • XL_DefaultGraphicHint.MSVCR90(?,?), ref: 00E6F643
                                        • XL_DefaultGraphicHint.MSVCR90(?,?), ref: 00E6F6A7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: DefaultGraphicHint
                                        • String ID:
                                        • API String ID: 196006533-0
                                        • Opcode ID: fc0d40361d760c31d98f82e781ed8f3cd40712e36aee2b381394db46767819ac
                                        • Instruction ID: 3435faa7ceb989278ebbdcf8d0685b409336d558286eb7ab9facbca0ae638b5c
                                        • Opcode Fuzzy Hash: fc0d40361d760c31d98f82e781ed8f3cd40712e36aee2b381394db46767819ac
                                        • Instruction Fuzzy Hash: 3AE101B4A087018FC728DF69E48092BFBE5AFC8740F14992EF59997321E770E841CB52
                                        Function 00E6E400 Relevance: 6.4, APIs: 4, Instructions: 350COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4620180af047483895c7362a72bb131017a756e37f2c0adc7c5b681c2f348754
                                        • Instruction ID: 418814399446d4ebdcae0ffde502ba0716d413544ff223af5b15bbe66ba2c5a3
                                        • Opcode Fuzzy Hash: 4620180af047483895c7362a72bb131017a756e37f2c0adc7c5b681c2f348754
                                        • Instruction Fuzzy Hash: D9E10874A083459FCB24CF18D480AAEBBE5EF88754F149A1EF849A7395D770ED40CB92
                                        Function 00E558A0 Relevance: 6.3, APIs: 4, Instructions: 278windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90(?,?), ref: 00E558B0
                                        • XL_GetLogPen.MSVCR90(?,?,?,?,?), ref: 00E5595E
                                        • XL_CreatePen.MSVCR90 ref: 00E5597C
                                        • XL_ReleasePen.MSVCR90(?), ref: 00E559FD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapCreateInfoRelease
                                        • String ID:
                                        • API String ID: 3571685347-0
                                        • Opcode ID: 1638825227e32f4085998cb728ad4665b9a606f6cc73a0d85c1f62312fd34cc8
                                        • Instruction ID: af53847561ab93c12c4379bc0e4e4dc49954383dfb69ac50ea05890222ed77b4
                                        • Opcode Fuzzy Hash: 1638825227e32f4085998cb728ad4665b9a606f6cc73a0d85c1f62312fd34cc8
                                        • Instruction Fuzzy Hash: 15817E722086449FD318CEA9C894D2BF3E9EFC9354F144A1DF995D3340E675EC498B62
                                        Function 00E55B60 Relevance: 6.3, APIs: 4, Instructions: 278windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_GetBitmapInfo.MSVCR90(?,?), ref: 00E55B70
                                        • XL_GetLogPen.MSVCR90(?,?,?,?,?), ref: 00E55C1E
                                        • XL_CreatePen.MSVCR90 ref: 00E55C3C
                                        • XL_ReleasePen.MSVCR90(?), ref: 00E55CBD
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: BitmapCreateInfoRelease
                                        • String ID:
                                        • API String ID: 3571685347-0
                                        • Opcode ID: e7a18767a92ad06a60936c0686f5d9c3cf847af7c81f2e2da6305a3745431fd4
                                        • Instruction ID: 8645682ff153ba51947cbd4575dbc02dc338b14122118f2a919a9f09afe251a5
                                        • Opcode Fuzzy Hash: e7a18767a92ad06a60936c0686f5d9c3cf847af7c81f2e2da6305a3745431fd4
                                        • Instruction Fuzzy Hash: ED8159726087019FC318CEA9C99092BF7E9EFC9354F14491DF995D3340EAB5EC498BA2
                                        Function 00EB0FB0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 219stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,dup,00000003), ref: 00EB1080
                                        • strncmp.MSVCR90(00000000,put,00000003), ref: 00EB10F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp
                                        • String ID: dup$put
                                        • API String ID: 1114863663-1042916250
                                        • Opcode ID: 230483c8870ca89991525dd29a0dd1a0a57201f846f86253ec048adda492b661
                                        • Instruction ID: a44f16dd1c612a2c8ef8bb88356c4d4b28948b7f3bc06e89e37ba5572d8feb30
                                        • Opcode Fuzzy Hash: 230483c8870ca89991525dd29a0dd1a0a57201f846f86253ec048adda492b661
                                        • Instruction Fuzzy Hash: F3717F716003019FCB04DF29C894A9BB7E8FF88315F4455A9FD4ADB216E634EA14CBA1
                                        Function 00FCD4C0 Relevance: 6.2, APIs: 4, Instructions: 153COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnterCriticalSection.KERNEL32(?,E3DC3B0A), ref: 00FCD4F5
                                        • ?compare@?$char_traits@D@std@@SAHPBD0I@Z.MSVCP90(?,?,?), ref: 00FCD58D
                                        • LeaveCriticalSection.KERNEL32(?,?,00000001,?), ref: 00FCD64D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: CriticalSection$?compare@?$char_traits@D@std@@EnterLeave
                                        • String ID:
                                        • API String ID: 2356793199-0
                                        • Opcode ID: 731ddc1acf86d7e183a70cf037d2e1d263fcd534ed71793f6d5e0be98fd0be78
                                        • Instruction ID: 169b7767bbc29412d13f4b55d67f60bb76c3839dd30d809360d04527eed4d4b8
                                        • Opcode Fuzzy Hash: 731ddc1acf86d7e183a70cf037d2e1d263fcd534ed71793f6d5e0be98fd0be78
                                        • Instruction Fuzzy Hash: 0B51C571604202CFC714CF28DA85F2AB7E5FF88744F19492DE84ADB341DA31E905DB91
                                        Function 00E65AE0 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11bedb0a3e417928c47d422025335cb4f7a706abbbd757d671d6cfba09b15608
                                        • Instruction ID: 3293c548dd6ec30cba45c87578cd003d946db4da84b6206ca54cf3b41f7b146e
                                        • Opcode Fuzzy Hash: 11bedb0a3e417928c47d422025335cb4f7a706abbbd757d671d6cfba09b15608
                                        • Instruction Fuzzy Hash: 3B417EB26047009FC714DF69E98095BF7E9AFC8754F448A1DF988A3311E731E949CB92
                                        Function 00E80A60 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetGlyphOutlineW.GDI32(?,?,?,00000020,?,?,0000000E), ref: 00E80ABF
                                        • GetGlyphOutlineW.GDI32(?,?,00000000,00000020,?,?,0000000E), ref: 00E80ADA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: GlyphOutline
                                        • String ID:
                                        • API String ID: 2311061089-0
                                        • Opcode ID: a81f112313266073cb5be2c4873d2e15bc0d1a2cd1cba25db067b4163c1b11f8
                                        • Instruction ID: c3f5b758a2fc80436c365c1822a7daeada0426f29660ecdffca30cb19e8e29d0
                                        • Opcode Fuzzy Hash: a81f112313266073cb5be2c4873d2e15bc0d1a2cd1cba25db067b4163c1b11f8
                                        • Instruction Fuzzy Hash: 9C318D71200700AFD224DF26D884E67F7EDEF95764F108A0EF59A97690D361BC898B61
                                        Function 00E510A0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • ?_Xran@_String_base@std@@SAXXZ.MSVCP90 ref: 00E510B3
                                        • ?_Xlen@_String_base@std@@SAXXZ.MSVCP90 ref: 00E510DC
                                        • ?_Xlen@_String_base@std@@SAXXZ.MSVCP90 ref: 00E510F7
                                        • ?_Copy_s@?$char_traits@_W@std@@SAPA_WPA_WIPB_WI@Z.MSVCP90(00000008,00000008,?,?), ref: 00E51159
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: String_base@std@@$Xlen@_$Copy_s@?$char_traits@_W@std@@Xran@_
                                        • String ID:
                                        • API String ID: 3651241351-0
                                        • Opcode ID: eacd90fc2afe834b928d80837e3b5c98450b0b578a4dbe3bd0e38fa0c755c558
                                        • Instruction ID: a9e3cd9f871423f83106cbe352695a1312f0e5babe130e121115bd0ec69dfab7
                                        • Opcode Fuzzy Hash: eacd90fc2afe834b928d80837e3b5c98450b0b578a4dbe3bd0e38fa0c755c558
                                        • Instruction Fuzzy Hash: 802105312016058F8710DF68E9C496FF3B9EF90752B204D9EEA12A3251D730ED4C8BA5
                                        Function 00E805C0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCR90 ref: 00E805E3
                                        • wcsncpy.MSVCR90 ref: 00E805F3
                                        • CreateFontIndirectW.GDI32 ref: 00E8062C
                                          • Part of subcall function 00E804E0: GetDC.USER32(00000000), ref: 00E804E6
                                          • Part of subcall function 00E804E0: SelectObject.GDI32(00000000,?), ref: 00E804F4
                                          • Part of subcall function 00E804E0: GetOutlineTextMetricsW.GDI32(00000000,00000000,00000000,?,00E80645,00000000,00000058), ref: 00E80507
                                          • Part of subcall function 00E804E0: memset.MSVCR90 ref: 00E80527
                                          • Part of subcall function 00E804E0: GetOutlineTextMetricsW.GDI32(00000000,00000000,00000000,?,?,?,?), ref: 00E80538
                                          • Part of subcall function 00E804E0: SelectObject.GDI32(00000000,?), ref: 00E80578
                                          • Part of subcall function 00E804E0: ReleaseDC.USER32(00000000,00000000), ref: 00E80581
                                        • DeleteObject.GDI32(?), ref: 00E8064D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Object$MetricsOutlineSelectTextmemset$CreateDeleteFontIndirectReleasewcsncpy
                                        • String ID:
                                        • API String ID: 3039118469-0
                                        • Opcode ID: 93cd763379bc1da097db8e701c26ba3789851b3039f9331ed2c2392aac5ccbc6
                                        • Instruction ID: d784197e39c44196250623d5214c1f79d62593fc80f512aa49d7f1de4fb98511
                                        • Opcode Fuzzy Hash: 93cd763379bc1da097db8e701c26ba3789851b3039f9331ed2c2392aac5ccbc6
                                        • Instruction Fuzzy Hash: F5219F705087409FD320DB69C805B6BBBE4AFC8B08F04490DF59A97641D774E909CBA2
                                        Function 00EA73C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strncmp.MSVCR90(?,StartData,00000009), ref: 00EA73E8
                                        • strncmp.MSVCR90(?,/sfnts,00000006), ref: 00EA7403
                                        • strncmp.MSVCR90(?,(Hex),00000005), ref: 00EA7490
                                        • atol.MSVCR90(?), ref: 00EA749E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: strncmp$atol
                                        • String ID: /sfnts$StartData
                                        • API String ID: 4253204224-3427144809
                                        • Opcode ID: 8bf9d430af3f81a201b3b28148df8ee8eee896e19dad2d4f4595eff8ccc3a6b6
                                        • Instruction ID: 47a84759bdeed014b5900876bebac71e3026f88b46788557c28d882ceefe6034
                                        • Opcode Fuzzy Hash: 8bf9d430af3f81a201b3b28148df8ee8eee896e19dad2d4f4595eff8ccc3a6b6
                                        • Instruction Fuzzy Hash: CB01A1305483065BD730DE208C41B6BB7E4AF8A754F041518ED88A6241F779FA1987A6
                                        Function 00E7BA20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: SimSun$Tahoma
                                        • API String ID: 2081463915-3887695749
                                        • Opcode ID: 13e40754a0443c2687c2fc2049e0e75ea085a0daa005d6e366658e9fc6bec3af
                                        • Instruction ID: cbb6d1fdbf509e92a0e8e7b578362ca8ad3945ad6c731b8a0e5ea48176eb5d1f
                                        • Opcode Fuzzy Hash: 13e40754a0443c2687c2fc2049e0e75ea085a0daa005d6e366658e9fc6bec3af
                                        • Instruction Fuzzy Hash: F7E02663381224378E10A9ACBC828CF7748CE816363455013E904A6210D214D24B87E2
                                        Function 00FE1440 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checknumber.XLLUARUNTIME(?,00000001,?), ref: 00FE1450
                                          • Part of subcall function 00FD7190: lua_tonumber.XLLUARUNTIME(?,?), ref: 00FD719F
                                          • Part of subcall function 00FD7190: lua_isnumber.XLLUARUNTIME(?,?), ref: 00FD71BA
                                          • Part of subcall function 00FD7190: lua_typename.XLLUARUNTIME(?,00000003), ref: 00FD71CA
                                          • Part of subcall function 00FD7190: lua_type.XLLUARUNTIME(?,?,?,00000003), ref: 00FD71D3
                                          • Part of subcall function 00FD7190: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000003), ref: 00FD71DA
                                          • Part of subcall function 00FD7190: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000003), ref: 00FD71EF
                                        • modf.MSVCR90 ref: 00FE1458
                                        • lua_pushnumber.XLLUARUNTIME(?), ref: 00FE146D
                                        • lua_pushnumber.XLLUARUNTIME(?), ref: 00FE147D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_pushnumberlua_typename$L_argerrorL_checknumberlua_isnumberlua_tonumberlua_typemodf
                                        • String ID:
                                        • API String ID: 3842637937-0
                                        • Opcode ID: 11cbbf55dbc7256786c4f30251b761c774770690e2bac3e2959d92e254a8cbe7
                                        • Instruction ID: 564915d3d1cb5a8c6a22bb651b9c6edf11a4b8cf94ef1949c6d62d1dc30e1145
                                        • Opcode Fuzzy Hash: 11cbbf55dbc7256786c4f30251b761c774770690e2bac3e2959d92e254a8cbe7
                                        • Instruction Fuzzy Hash: E2E06D70418916D3E700BF08AC469AEBBA8EF84704F840CA5F4D051252EB36953883CB
                                        Function 00E66160 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • XL_CaclExp.MSVCR90(?,?,00E65809,?,?,?,?,?,?,?,00E4EB76,?,?), ref: 00E6616C
                                        • XL_GetExpValue.MSVCR90(00000000,?,?,00E65809,?,?,?,?,?,?,?,00E4EB76,?,?), ref: 00E66174
                                        • XL_CaclExp.MSVCR90(?,?,00E65809,?,?,?,?,?,?,?,00E4EB76,?,?), ref: 00E66184
                                        • XL_GetExpValue.MSVCR90(?,?,?,00E65809,?,?,?,?,?,?,?,00E4EB76,?,?), ref: 00E6618D
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: CaclValue
                                        • String ID:
                                        • API String ID: 3266023997-0
                                        • Opcode ID: 67576a8b067f00baa465853a7f738d1b91d78d0efe6a47ade14acc1e2da1ab65
                                        • Instruction ID: e7a7c3cd58ae2a98f395dbfd5f3b99d1f288b1b35b4ec1a91376a05c24274971
                                        • Opcode Fuzzy Hash: 67576a8b067f00baa465853a7f738d1b91d78d0efe6a47ade14acc1e2da1ab65
                                        • Instruction Fuzzy Hash: 2DE01AB06103005BCB20EF78D540E0777E89F44340B00981DB4D9EB202D635E8418B60
                                        Function 00E7C340 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00E7C344
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E7C355
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E7C360
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00E7C36B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: 608ef5217a7583b2373dc220e8d76eaee8b6822a6384f05d9ca36b930813c509
                                        • Instruction ID: 2d19a1c8ae0fc90a1cd81b7be69230084a878bba7cd0332ed515b9982516bfe4
                                        • Opcode Fuzzy Hash: 608ef5217a7583b2373dc220e8d76eaee8b6822a6384f05d9ca36b930813c509
                                        • Instruction Fuzzy Hash: 4BE04F35642310AFD3105F76AC08F8BBBA8EF96721F014406F604AB2E0C6B0550A8FA2
                                        Function 00FE14C0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_checknumber.XLLUARUNTIME(?,00000001), ref: 00FE14CB
                                          • Part of subcall function 00FD7190: lua_tonumber.XLLUARUNTIME(?,?), ref: 00FD719F
                                          • Part of subcall function 00FD7190: lua_isnumber.XLLUARUNTIME(?,?), ref: 00FD71BA
                                          • Part of subcall function 00FD7190: lua_typename.XLLUARUNTIME(?,00000003), ref: 00FD71CA
                                          • Part of subcall function 00FD7190: lua_type.XLLUARUNTIME(?,?,?,00000003), ref: 00FD71D3
                                          • Part of subcall function 00FD7190: lua_typename.XLLUARUNTIME(?,00000000,?,?,?,00000003), ref: 00FD71DA
                                          • Part of subcall function 00FD7190: luaL_argerror.XLLUARUNTIME(?,?,00000000,?,%s expected, got %s,00000000,00000000,?,00000000,?,?,?,00000003), ref: 00FD71EF
                                        • luaL_checknumber.XLLUARUNTIME(?,00000002,?,00000001), ref: 00FE14D7
                                        • _CIpow.MSVCR90 ref: 00FE14E5
                                        • lua_pushnumber.XLLUARUNTIME(?), ref: 00FE14F1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_checknumberlua_typename$IpowL_argerrorlua_isnumberlua_pushnumberlua_tonumberlua_type
                                        • String ID:
                                        • API String ID: 542004656-0
                                        • Opcode ID: e2328454e4d8d125bf8650fccb539015148475b6fea99d1306d09e931a13612c
                                        • Instruction ID: 154a06856673bcf01e048595564c804ec571bf834de2503d66997015a63282fa
                                        • Opcode Fuzzy Hash: e2328454e4d8d125bf8650fccb539015148475b6fea99d1306d09e931a13612c
                                        • Instruction Fuzzy Hash: CBE0CD26C1561172D601762C7C43ADE36549F45705F880C55F99415242FB6A063D43E7
                                        Function 00FD65B0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • luaL_where.XLLUARUNTIME(?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?,?,?,?,?,00FCF237,?), ref: 00FD65B8
                                          • Part of subcall function 00FD6520: lua_getstack.XLLUARUNTIME(?,?,?,?), ref: 00FD653E
                                          • Part of subcall function 00FD6520: lua_getinfo.XLLUARUNTIME(?,00FF1C64,?,?,?,?), ref: 00FD6555
                                        • lua_pushvfstring.XLLUARUNTIME(?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65C8
                                        • lua_concat.XLLUARUNTIME(?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D0
                                        • lua_error.XLLUARUNTIME(?,?,00000002,?,?,00FD6F68,?,00000001,?,00FD6F68,?,bad argument #%d to '%s' (%s),?,?,?), ref: 00FD65D6
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_wherelua_concatlua_errorlua_getinfolua_getstacklua_pushvfstring
                                        • String ID:
                                        • API String ID: 1778428932-0
                                        • Opcode ID: 97767dbc517b86c9531ce5ff6b439150677b5ebac9b2fab18251a9a79ce4d9ab
                                        • Instruction ID: 63f1b59451a4b0ba315196a4238a9af670c6d289227c8d44a91a4e93ba156987
                                        • Opcode Fuzzy Hash: 97767dbc517b86c9531ce5ff6b439150677b5ebac9b2fab18251a9a79ce4d9ab
                                        • Instruction Fuzzy Hash: 4ED05E3210652276D901B710AC43FDF364E8F49700F080006F100A6282E658BE8253EB
                                        Function 00FC2020 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(invalid map/set<T> iterator,E3DC3B0A,?,00000004,?,00000000), ref: 00FC2060
                                          • Part of subcall function 00FC11A0: ??0exception@std@@QAE@XZ.MSVCR90(E3DC3B0A,00000024,?,?,00FEEBA9,000000FF,00FCB998), ref: 00FC11C8
                                          • Part of subcall function 00FC11A0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90(?), ref: 00FC11E4
                                        • _CxxThrowException.MSVCR90(?,00FF4CF4), ref: 00FC208E
                                        Strings
                                        • invalid map/set<T> iterator, xrefs: 00FC2057
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: invalid map/set<T> iterator
                                        • API String ID: 3995155753-152884079
                                        • Opcode ID: 9785dbb134f0313ecb1563503760f0b478ea062206db719e42a0904dcdcdffe8
                                        • Instruction ID: d49bd82d1449e2ba51fcc79fda4a3cd32bd7ea744fd0499363dc829c009d5c73
                                        • Opcode Fuzzy Hash: 9785dbb134f0313ecb1563503760f0b478ea062206db719e42a0904dcdcdffe8
                                        • Instruction Fuzzy Hash: 35A1A8B0908286DFD751CF28C681F56BBE1FF59310F18859DE4898B262C331E885EFA5
                                        Function 00FC7010 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(invalid map/set<T> iterator,E3DC3B0A,?,00000000,?,?), ref: 00FC7050
                                          • Part of subcall function 00FC11A0: ??0exception@std@@QAE@XZ.MSVCR90(E3DC3B0A,00000024,?,?,00FEEBA9,000000FF,00FCB998), ref: 00FC11C8
                                          • Part of subcall function 00FC11A0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90(?), ref: 00FC11E4
                                        • _CxxThrowException.MSVCR90(?,00FF4CF4), ref: 00FC707E
                                        Strings
                                        • invalid map/set<T> iterator, xrefs: 00FC7047
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: invalid map/set<T> iterator
                                        • API String ID: 3995155753-152884079
                                        • Opcode ID: 17cf9ffc95c131bcfbbc77e150157ac130ffe5d756997e5301efa1d71610a20d
                                        • Instruction ID: a77c28d4a2d0493784ccc8485510c22d2f18130ccbed362ed6cea04ac0a986b3
                                        • Opcode Fuzzy Hash: 17cf9ffc95c131bcfbbc77e150157ac130ffe5d756997e5301efa1d71610a20d
                                        • Instruction Fuzzy Hash: 75A19AB090C3869FD711EF24C681F56BBE1AF69314F18859DE4894B362C331E849EFA5
                                        Function 00FD4040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(invalid map/set<T> iterator,E3DC3B0A,00000000,?), ref: 00FD407C
                                          • Part of subcall function 00FC11A0: ??0exception@std@@QAE@XZ.MSVCR90(E3DC3B0A,00000024,?,?,00FEEBA9,000000FF,00FCB998), ref: 00FC11C8
                                          • Part of subcall function 00FC11A0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90(?), ref: 00FC11E4
                                        • _CxxThrowException.MSVCR90(?,00FF4CF4), ref: 00FD40AA
                                        Strings
                                        • invalid map/set<T> iterator, xrefs: 00FD4073
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: invalid map/set<T> iterator
                                        • API String ID: 3995155753-152884079
                                        • Opcode ID: 7b834d36668cdf64ba2c3dd5ef8e22ff42336ac3ce0ec5382b46be840c2d4146
                                        • Instruction ID: 0c13cfff1a7a483bd0f3bd4da10209f209135c1ddb9fe94f359d7e533899427e
                                        • Opcode Fuzzy Hash: 7b834d36668cdf64ba2c3dd5ef8e22ff42336ac3ce0ec5382b46be840c2d4146
                                        • Instruction Fuzzy Hash: 34A15C71A08281DFDB16CF14C490A15BBE3AF65314F2C859EE4858B362C771ED89EBD2
                                        Function 00EC6530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::details::_Condition_variable::_Condition_variable.LIBCMTD ref: 00EC653F
                                        • _Immortalize.LIBCPMTD ref: 00EC6561
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Concurrency::details::_Condition_variableCondition_variable::_Immortalize
                                        • String ID: a
                                        • API String ID: 1411628985-1016852433
                                        • Opcode ID: cfc4d89d8eb1692358c058949e1421e3caa2a4b6c88273488287515db105f398
                                        • Instruction ID: 6804e057c5eba8a8ba77e765694f84831f687e58f3174c09df3cef4a98b0d244
                                        • Opcode Fuzzy Hash: cfc4d89d8eb1692358c058949e1421e3caa2a4b6c88273488287515db105f398
                                        • Instruction Fuzzy Hash: 62213D709081599BCF09EFA4CA51FEFBBB4AF54304F04511DE5527B285DB366A0BCBA0
                                        Function 00E8E830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • _setjmp3.MSVCR90 ref: 00E8E847
                                          • Part of subcall function 00E8DAC0: longjmp.MSVCR90(?,00000001,?,?,00E8E884), ref: 00E8DB02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: _setjmp3longjmp
                                        • String ID: $@
                                        • API String ID: 848167055-3947257237
                                        • Opcode ID: 2313cfd27539b42490e68f6b2aa268b0094b559f9f96918cdf8e67241b91b8d4
                                        • Instruction ID: abf9b5b3bcad330437281445da60bc9fa0ccfdf94b227450cf60fd332b9fe73c
                                        • Opcode Fuzzy Hash: 2313cfd27539b42490e68f6b2aa268b0094b559f9f96918cdf8e67241b91b8d4
                                        • Instruction Fuzzy Hash: 28014071A05204DBC714EF59E941B9AB7E8FF48304F18819DE94DA7341E731EE00CB95
                                        Function 00E4D170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • XLFS_CreateStreamFromMemory.XLFSIO(?,?,?,?,?,00E4E0C6,?,?,?,?), ref: 00E4D197
                                          • Part of subcall function 00E4CBF0: InterlockedDecrement.KERNEL32(00000004), ref: 00E4CBF8
                                        • XLFS_ReleaseStream.XLFSIO(00000000,?,?,?,?,00E4E0C6,?,?,?,?), ref: 00E4D1C2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Stream$CreateDecrementFromInterlockedMemoryRelease
                                        • String ID: test.png
                                        • API String ID: 584912420-702945454
                                        • Opcode ID: e0eaa9236bb440d04b82a5b361da9041209a320428ab14c2e9aeeffca8fc43f2
                                        • Instruction ID: c80c8954f097c3417aa50464ca0dff985b67334114e02c142044403638ef8003
                                        • Opcode Fuzzy Hash: e0eaa9236bb440d04b82a5b361da9041209a320428ab14c2e9aeeffca8fc43f2
                                        • Instruction Fuzzy Hash: 9FF0963670A2156F9211DA29BC40D6FA7ECDBD8750711891BFD81E3355DA70DC4286A1
                                        Function 00E4D220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E4D110: PathFindExtensionW.SHLWAPI(?,?,?,?,?,00E4D186,?,?,00E4E0C6,?,?,?,?), ref: 00E4D11B
                                        • XLFS_CreateStreamFromMemory.XLFSIO(?,?,?,test.png), ref: 00E4D23C
                                        • XLFS_ReleaseStream.XLFSIO(00000000,?,?,test.png), ref: 00E4D267
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: Stream$CreateExtensionFindFromMemoryPathRelease
                                        • String ID: test.png
                                        • API String ID: 287748794-702945454
                                        • Opcode ID: 3c6c0555188a11af35898a332e43404e04aaf2195aa763a12df933edaff636db
                                        • Instruction ID: 7e4203dd0973100386cbd63889b61c62fb3714f28322b8fd78b1a3ef8d6ae153
                                        • Opcode Fuzzy Hash: 3c6c0555188a11af35898a332e43404e04aaf2195aa763a12df933edaff636db
                                        • Instruction Fuzzy Hash: 16F08976709511AF8211DB69FC44D6FE7E9DBD8760311891FF940E7354C970DC0686B1
                                        Function 00E7A840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(list<T> too long,61C1F77A,?,000000FF,00E7BFA8,00000001,?,?,?,?,?,00000000,?,?,00E7C4C7,?), ref: 00E7A87F
                                          • Part of subcall function 00E4CEB0: ??0exception@std@@QAE@XZ.MSVCR90(61C1F77A,?,?,?,00ED1429,000000FF,00E4CF5D,?,?,00ECDCE6,?), ref: 00E4CED8
                                          • Part of subcall function 00E4CEB0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90 ref: 00E4CEF4
                                        • _CxxThrowException.MSVCR90(?,00EEAF50), ref: 00E7A8AD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: list<T> too long
                                        • API String ID: 3995155753-4027344264
                                        • Opcode ID: cea488fb44f7e492ac3d7730b3ef6a02a34d1cb8c01b7fb2ea924730385eb942
                                        • Instruction ID: d69b23286ee1032c96bef0e7ef248756cb4d139ea9422a9609cb5517e718f35b
                                        • Opcode Fuzzy Hash: cea488fb44f7e492ac3d7730b3ef6a02a34d1cb8c01b7fb2ea924730385eb942
                                        • Instruction Fuzzy Hash: 6E0184765083409FC304DF28C841B56F7E4EB98724F148B2FF469A3390E731A905CB42
                                        Function 00E81010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(list<T> too long,61C1F77A,00000004), ref: 00E8104F
                                          • Part of subcall function 00E4CEB0: ??0exception@std@@QAE@XZ.MSVCR90(61C1F77A,?,?,?,00ED1429,000000FF,00E4CF5D,?,?,00ECDCE6,?), ref: 00E4CED8
                                          • Part of subcall function 00E4CEB0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90 ref: 00E4CEF4
                                        • _CxxThrowException.MSVCR90(?,00EEAF50), ref: 00E8107D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: list<T> too long
                                        • API String ID: 3995155753-4027344264
                                        • Opcode ID: 6fd0b3539ae99130010f63c8ee818bd77f45974db5c59ee75ac62216ad7ec17d
                                        • Instruction ID: 053a993904163749a7ac3a054ef35d8f1c03b018ecf6df385cb694e3c636f885
                                        • Opcode Fuzzy Hash: 6fd0b3539ae99130010f63c8ee818bd77f45974db5c59ee75ac62216ad7ec17d
                                        • Instruction Fuzzy Hash: C20184765083409FC304EB28C841B56F7E4EB98724F148B1FF469A3390E731A505CB42
                                        Function 00FD04E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(list<T> too long,E3DC3B0A,?,?,?,?,?,00000000,00FEF789,000000FF,00FCE5CD,00000001,?,?,?,?), ref: 00FD051F
                                          • Part of subcall function 00FC11A0: ??0exception@std@@QAE@XZ.MSVCR90(E3DC3B0A,00000024,?,?,00FEEBA9,000000FF,00FCB998), ref: 00FC11C8
                                          • Part of subcall function 00FC11A0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90(?), ref: 00FC11E4
                                        • _CxxThrowException.MSVCR90(?,00FF4AD0), ref: 00FD054D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: list<T> too long
                                        • API String ID: 3995155753-4027344264
                                        • Opcode ID: 84592e97afc151bd34600fb0027b7efe3e14e508a27215ede7a815ea7b4afdab
                                        • Instruction ID: 01e8f57c00ea532915170f1646f8223e952405d16c315dc2e0c3cebd709b6116
                                        • Opcode Fuzzy Hash: 84592e97afc151bd34600fb0027b7efe3e14e508a27215ede7a815ea7b4afdab
                                        • Instruction Fuzzy Hash: 0601B1B6508244DFC300DF28C881B5ABBE8FF88714F14872EF55993290EB74E504CA42
                                        Function 00E534D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP90(vector<T> too long,61C1F77A,?,?,?,?,?,?,?,?,?,?,00ED17C9,000000FF,00E4D454,61C1F77A), ref: 00E534FC
                                          • Part of subcall function 00E4CEB0: ??0exception@std@@QAE@XZ.MSVCR90(61C1F77A,?,?,?,00ED1429,000000FF,00E4CF5D,?,?,00ECDCE6,?), ref: 00E4CED8
                                          • Part of subcall function 00E4CEB0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP90 ref: 00E4CEF4
                                        • _CxxThrowException.MSVCR90(?,00EEAF50), ref: 00E5352A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1785646943.0000000000E41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E40000, based on PE: true
                                        • Associated: 00000007.00000002.1785612213.0000000000E40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785750191.0000000000ED3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785811596.0000000000EF0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785846920.0000000000F40000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                        • Associated: 00000007.00000002.1785899875.0000000000F43000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e40000_thelper.jbxd
                                        Similarity
                                        • API ID: ??0?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0exception@std@@ExceptionThrowV01@@
                                        • String ID: vector<T> too long
                                        • API String ID: 3995155753-3788999226
                                        • Opcode ID: a5d058992e6e0f0c1f3d9c2074bcc906cd43d944955430c6d32d25831300ecce
                                        • Instruction ID: 91526c6792aabb2084d42bd388c0a560acf23ab980b07c6bf841b38997ca80a3
                                        • Opcode Fuzzy Hash: a5d058992e6e0f0c1f3d9c2074bcc906cd43d944955430c6d32d25831300ecce
                                        • Instruction Fuzzy Hash: 2DF08CB5108340ABC304EB65CA42F6BB7E8EB48B14F001A1EF056A2290DB74A609CA12
                                        Function 00FD70A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_type.XLLUARUNTIME(?,?), ref: 00FD70AC
                                        • luaL_argerror.XLLUARUNTIME(?,?,value expected), ref: 00FD70C0
                                          • Part of subcall function 00FD6E80: lua_getstack.XLLUARUNTIME(?,00000000,00FCF237,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1,?,00FCF237), ref: 00FD6EA0
                                          • Part of subcall function 00FD6E80: luaL_error.XLLUARUNTIME(?,bad argument #%d (%s),?,?,?,00FCF237,?,?,?,?,?,?,?,?,?,00FD6FB1), ref: 00FD6EB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: L_argerrorL_errorlua_getstacklua_type
                                        • String ID: value expected
                                        • API String ID: 3446470471-841185261
                                        • Opcode ID: 0ea16442e5ad7c55531b6c75d3cb36b9cfd84b7334282fc75d4f22558fc3c1c1
                                        • Instruction ID: 823155a14ced532d66a1aac437afe8b58cc43bda482ac795801314aef7924976
                                        • Opcode Fuzzy Hash: 0ea16442e5ad7c55531b6c75d3cb36b9cfd84b7334282fc75d4f22558fc3c1c1
                                        • Instruction Fuzzy Hash: 9FD0A72BC0512036851022157C018AF776D4DE2736F084617F128A32D1D234540561F3
                                        Function 00FC3010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • lua_newuserdata.XLLUARUNTIME(?,00000004,00000000,00FD03C2,?,00000000), ref: 00FC3018
                                        • lua_setfield.XLLUARUNTIME(?,FFFFD8F0,XLLRT_RUNTIME,?,00000004,00000000,00FD03C2,?,00000000), ref: 00FC302E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1786253448.0000000000FC1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FC0000, based on PE: true
                                        • Associated: 00000007.00000002.1786182282.0000000000FC0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786326926.0000000000FF1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786366957.0000000000FF9000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                        • Associated: 00000007.00000002.1786408688.0000000000FFB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_fc0000_thelper.jbxd
                                        Similarity
                                        • API ID: lua_newuserdatalua_setfield
                                        • String ID: XLLRT_RUNTIME
                                        • API String ID: 1083176672-3692059069
                                        • Opcode ID: 4453fbb753de5d66bdf8a35cffecba2ea243a5d6c833cf25f3891158361f3c10
                                        • Instruction ID: 3e9f8160094264335e7af0580003addc51e8deaf0d3c82c4e696ec1fa5d20580
                                        • Opcode Fuzzy Hash: 4453fbb753de5d66bdf8a35cffecba2ea243a5d6c833cf25f3891158361f3c10
                                        • Instruction Fuzzy Hash: 8AD022760583306AC600AA08AC02ECF33881F85B00F0D044AF3012B391CA79A801A7F6